analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Crybat.zip

Full analysis: https://app.any.run/tasks/e032408b-3437-49f0-8e56-c30dd1f9642b
Verdict: Malicious activity
Analysis date: August 12, 2022, 15:08:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F84393EF80A184696BF1C4172E931FDA

SHA1:

678492E07E1B9E06F106FB289E6A0B232709B2E5

SHA256:

D335DEA910391C6A22AB5E1B93908E4D2345DED546A28D4DD3546B0A91D04281

SSDEEP:

12288:YlCGFDJ908YfklCdBNNbaG6Gx/ufegY9Hqrlr/LZdLn/yGJaw6L9/m/6Wz:YUGMdLNbXxmfewr/L3aGJaw6R/m/6U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3096)
      • csc.exe (PID: 3944)

    • Application was dropped or rewritten from another process

      • Crybat.exe (PID: 2044)

    • Starts Visual C# compiler

      • Crybat.exe (PID: 2044)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3096)
      • Crybat.exe (PID: 2044)

    • Checks supported languages

      • WinRAR.exe (PID: 3096)
      • Crybat.exe (PID: 2044)
      • cvtres.exe (PID: 712)
      • csc.exe (PID: 3944)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3096)
      • csc.exe (PID: 3944)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3096)
      • csc.exe (PID: 3944)

    • Reads Environment values

      • Crybat.exe (PID: 2044)

    • Reads default file associations for system extensions

      • Crybat.exe (PID: 2044)

  • INFO

    • Manual execution by user

      • Crybat.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Crybat/Crybat.exe
ZipUncompressedSize: 783360
ZipCompressedSize: 737053
ZipCRC: 0xad535c20
ZipModifyDate: 2022:08:07 09:52:27
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe crybat.exe csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3096"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Crybat.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2044"C:\Users\admin\Desktop\Crybat\Crybat.exe" C:\Users\admin\Desktop\Crybat\Crybat.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Crybat
Version:
1.0.0.0
3944"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\thwdkhhp.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Crybat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
712C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC33.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDCC25467BB6945019CABC0F2E9BE1375.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.51209.34209 built by: FX452RTMGDR
Total events
3 446
Read events
3 350
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2044Crybat.exeC:\Users\admin\Desktop\Crybat\runpe.dllbinary
MD5:7B1B44B5928503DA4F90841B55639B99
SHA256:5CDA378DA45C575786B59F1C86E62923E720FC4A1AE4D09F6B86A6495C00D5A7
712cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC33.tmpo
MD5:DFAF572434126C818AB8B956FA1FBCFF
SHA256:CF484C71A74017C19B51FF15B7F5634E14167B09B93A716A8CE5C32B3438DD36
2044Crybat.exeC:\Users\admin\AppData\Local\Temp\thwdkhhp.cmdlinetext
MD5:97DD9DA118EEEE0727F0272A6CE4F2FA
SHA256:3C10769BB37EDB4F49A618E87B590ADA49C1AF15541430C2D6A5E54E8813B9C6
3944csc.exeC:\Users\admin\AppData\Local\Temp\CSCDCC25467BB6945019CABC0F2E9BE1375.TMPres
MD5:4C27EECB66BCE9EDEC33945C046F3236
SHA256:F3B4B4978082239D86E4D2563716A1B909439A828906D95DC220D4AC2A9E76B3
2044Crybat.exeC:\Users\admin\Desktop\Crybat\payload.exebinary
MD5:EFF61064BEF0B766556D82851039BCD9
SHA256:A617DDD17ABBF2AB2E94B85E50F7E595B36985418710674277F571A2B7EE87C9
3944csc.exeC:\Users\admin\AppData\Local\Temp\thwdkhhp.outtext
MD5:C57AFC48DC6BE03365AD11D38B10945D
SHA256:A63C2D018C7EC7E029C3404C044F5B8A33963DA32AB795AFC278ABB5D43D5092
3944csc.exeC:\Users\admin\AppData\Local\Temp\tmpB39.tmpexecutable
MD5:640FE6E63811E5BFD65ABBC91DD22111
SHA256:47AF0B8FB3E5E2F9A6DB9CF1D0C49797722DC5F50D9B02E81DD09CF5BC0CA796
2044Crybat.exeC:\Users\admin\AppData\Local\Temp\thwdkhhp.0.cstext
MD5:FDFA71FDB211933B4868382769BCA063
SHA256:65BB9B060A3DFB67B583F79392B9E04773796D9CEA32D96E65C70E7228A89C5A
3096WinRAR.exeC:\Users\admin\Desktop\Crybat\Crybat.exeexecutable
MD5:1193D4B9F902362E8C5DAA9FEB2070B1
SHA256:D56836BF3527BAD58B2A8B07B05372F5291637D3496D09535B4C671EDB700347
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2044
Crybat.exe
185.199.109.133:443
raw.githubusercontent.com
GitHub, Inc.
NL
malicious
2044
Crybat.exe
185.199.110.133:443
raw.githubusercontent.com
GitHub, Inc.
NL
malicious
2044
Crybat.exe
185.199.111.133:443
raw.githubusercontent.com
GitHub, Inc.
NL
suspicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
shared
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Crybat.zip