File name: | Crybat.zip |
Full analysis: | https://app.any.run/tasks/e032408b-3437-49f0-8e56-c30dd1f9642b |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 15:08:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | F84393EF80A184696BF1C4172E931FDA |
SHA1: | 678492E07E1B9E06F106FB289E6A0B232709B2E5 |
SHA256: | D335DEA910391C6A22AB5E1B93908E4D2345DED546A28D4DD3546B0A91D04281 |
SSDEEP: | 12288:YlCGFDJ908YfklCdBNNbaG6Gx/ufegY9Hqrlr/LZdLn/yGJaw6L9/m/6Wz:YUGMdLNbXxmfewr/L3aGJaw6R/m/6U |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Crybat/Crybat.exe |
---|---|
ZipUncompressedSize: | 783360 |
ZipCompressedSize: | 737053 |
ZipCRC: | 0xad535c20 |
ZipModifyDate: | 2022:08:07 09:52:27 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3096 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Crybat.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
2044 | "C:\Users\admin\Desktop\Crybat\Crybat.exe" | C:\Users\admin\Desktop\Crybat\Crybat.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Description: Crybat Version: 1.0.0.0 | ||||
3944 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\thwdkhhp.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Crybat.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
712 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC33.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDCC25467BB6945019CABC0F2E9BE1375.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.51209.34209 built by: FX452RTMGDR |
PID | Process | Filename | Type | |
---|---|---|---|---|
2044 | Crybat.exe | C:\Users\admin\Desktop\Crybat\runpe.dll | binary | |
MD5:7B1B44B5928503DA4F90841B55639B99 | SHA256:5CDA378DA45C575786B59F1C86E62923E720FC4A1AE4D09F6B86A6495C00D5A7 | |||
712 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESC33.tmp | o | |
MD5:DFAF572434126C818AB8B956FA1FBCFF | SHA256:CF484C71A74017C19B51FF15B7F5634E14167B09B93A716A8CE5C32B3438DD36 | |||
2044 | Crybat.exe | C:\Users\admin\AppData\Local\Temp\thwdkhhp.cmdline | text | |
MD5:97DD9DA118EEEE0727F0272A6CE4F2FA | SHA256:3C10769BB37EDB4F49A618E87B590ADA49C1AF15541430C2D6A5E54E8813B9C6 | |||
3944 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCDCC25467BB6945019CABC0F2E9BE1375.TMP | res | |
MD5:4C27EECB66BCE9EDEC33945C046F3236 | SHA256:F3B4B4978082239D86E4D2563716A1B909439A828906D95DC220D4AC2A9E76B3 | |||
2044 | Crybat.exe | C:\Users\admin\Desktop\Crybat\payload.exe | binary | |
MD5:EFF61064BEF0B766556D82851039BCD9 | SHA256:A617DDD17ABBF2AB2E94B85E50F7E595B36985418710674277F571A2B7EE87C9 | |||
3944 | csc.exe | C:\Users\admin\AppData\Local\Temp\thwdkhhp.out | text | |
MD5:C57AFC48DC6BE03365AD11D38B10945D | SHA256:A63C2D018C7EC7E029C3404C044F5B8A33963DA32AB795AFC278ABB5D43D5092 | |||
3944 | csc.exe | C:\Users\admin\AppData\Local\Temp\tmpB39.tmp | executable | |
MD5:640FE6E63811E5BFD65ABBC91DD22111 | SHA256:47AF0B8FB3E5E2F9A6DB9CF1D0C49797722DC5F50D9B02E81DD09CF5BC0CA796 | |||
2044 | Crybat.exe | C:\Users\admin\AppData\Local\Temp\thwdkhhp.0.cs | text | |
MD5:FDFA71FDB211933B4868382769BCA063 | SHA256:65BB9B060A3DFB67B583F79392B9E04773796D9CEA32D96E65C70E7228A89C5A | |||
3096 | WinRAR.exe | C:\Users\admin\Desktop\Crybat\Crybat.exe | executable | |
MD5:1193D4B9F902362E8C5DAA9FEB2070B1 | SHA256:D56836BF3527BAD58B2A8B07B05372F5291637D3496D09535B4C671EDB700347 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2044 | Crybat.exe | 185.199.109.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | malicious |
2044 | Crybat.exe | 185.199.110.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | malicious |
2044 | Crybat.exe | 185.199.111.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
raw.githubusercontent.com |
| shared |
dns.msftncsi.com |
| shared |