analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Re-Loader_2.2.E_M_A.zip

Full analysis: https://app.any.run/tasks/0cffe8ac-a943-45e1-a475-8d6a336f0667
Verdict: Malicious activity
Analysis date: May 21, 2022, 10:35:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4AD97213F92C5A65F64DA72B5A168A53

SHA1:

2ED8A07092F476155ECFDF6962CD70F772794F99

SHA256:

CB7A1E88EBEEF643537CA8ACEDFF68F8EA5BE7802A7768813B4D2EACBC4B5368

SSDEEP:

24576:wEK6GoKe1iMRwQAp/U3seqXs+fqtWg0UspguYR2lnTnrUGh1OGo:lZKewMRwQ3pqDfqQgFuo2xTRhBo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2932)
      • [email protected] (PID: 3080)
      • brset.exe (PID: 2684)
      • bootsect.exe (PID: 3980)
    • Reads the computer name

    • Drops a file with a compile date too recent

    • Executable content was dropped or overwritten

    • Reads Windows Product ID

    • Executed via COM

      • DllHost.exe (PID: 3192)
    • Reads Environment values

    • Executed as Windows Service

      • vssvc.exe (PID: 2876)
    • Searches for installed software

      • DllHost.exe (PID: 3192)
  • INFO

    • Manual execution by user

    • Reads the computer name

      • DllHost.exe (PID: 3192)
      • vssvc.exe (PID: 2876)
    • Checks supported languages

      • DllHost.exe (PID: 3192)
      • vssvc.exe (PID: 2876)
    • Reads Microsoft Office registry keys

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: SetupComplete.cmd
ZipUncompressedSize: 331
ZipCompressedSize: 176
ZipCRC: 0xcc3b0923
ZipModifyDate: 2015:03:10 14:28:20
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe re-[email protected] no specs re-[email protected] DllHost.exe no specs vssvc.exe no specs brset.exe no specs bootsect.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Re-Loader_2.2.E_M_A.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2464"C:\Users\admin\Desktop\[email protected]" C:\Users\admin\Desktop\[email protected]Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Activator
Exit code:
3221226540
Version:
2.2.3.0
3080"C:\Users\admin\Desktop\[email protected]" C:\Users\admin\Desktop\[email protected]
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
Activator
Version:
2.2.3.0
3192C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2876C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2684"C:\Users\admin\AppData\Local\Temp\Re-Loader\OEM\brset.exe" /nt60 SYS /forceC:\Users\admin\AppData\Local\Temp\Re-Loader\OEM\brset.exe[email protected]
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Sector Manipulation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3980"C:\Users\admin\AppData\Local\Temp\Re-Loader\OEM\bootsect.exe" /nt52 SYS /forceC:\Users\admin\AppData\Local\Temp\Re-Loader\OEM\bootsect.exe[email protected]
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Sector Manipulation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 468
Read events
2 303
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3192DllHost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2684brset.exe\Device\HarddiskVolume1
MD5:
SHA256:
3980bootsect.exe\Device\HarddiskVolume1
MD5:
SHA256:
2932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2932.1971\Readme\Lisezmoi.txttext
MD5:E2C6426E8F78CF30F14D93968A90CF7F
SHA256:E08EA033BF758F3F9601D6AA2D23ACA55EE307473B42DB9A63367597C048D07A
3192DllHost.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:03E0D7F9CD3F9B8122B16CF4B5658C9D
SHA256:C1F2C3A87822C61FDEE077276C7661593376B0EDFD30C3E9CD0049EC8E7E55A8
3080[email protected]C:\Users\admin\AppData\Local\Temp\Re-Loader\OEM\bootsect.exeexecutable
MD5:F2900E7CBF0390EDBDD014CBCDD26459
SHA256:930BE9B567B1C0710819EE95AA388640D617E503EE868332B3C24A1652C66AA9
2932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2932.1971\Readme\自述.txttext
MD5:932390B97A626CFFCAC17E821CCE1013
SHA256:3616FFEA81B4193A3C4A78CF25659F6B7AEC9AD57CBA5D6BEE6EE7133D828D53
2932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2932.1971\Readme\Readme.txttext
MD5:963F908CE0ED3D8EB251F2205F91139F
SHA256:46AFEE6C920CE80769A0C845CDCB4B4E2F571E0E238FA6087A14BC71171E7F06
2932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2932.1971\[email protected]executable
MD5:3C8289913E7994117532856CAEE1C06C
SHA256:391C989D2103DD488D9D4C2C8E1776BC6264F613656BB5BEBCD7722DB22160E7
3080[email protected]C:\Users\admin\AppData\Local\Temp\Re-Loader\OEM\SLIC\W5GWWbinary
MD5:49864D91EDA705BB680AF048D74AD0A5
SHA256:730DF9B3FFB7D69476D81EF8A20D4F845797B0344233F9C49EB962A378F7518C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info