analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4.rar

Full analysis: https://app.any.run/tasks/b5cd91fb-aec4-4320-96b6-e8c44ff3d516
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 06:54:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

524FBB3C5BEE9BF99C4417048A4DE9D3

SHA1:

AB874FA70AD7EAD4EABEA2B0A63B7A66A827967D

SHA256:

D5B21327A57581B902EE1D26BC7A4384C9352B4968E7EE3BEC2DBA4AAD9B3941

SSDEEP:

24576:G5Q76KWB4sGDvJQ7O3C5FJQztpbivdpqeC1KSRgwsVHEds7iHsRTxM4MzN:GG7rK7Oy5FETgdggw+ucTC46

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3132)
      • FortNite [Brute&Checker] 1.0.0.exe (PID: 2172)

    • Application was dropped or rewritten from another process

      • STEALER_CRYPTED.exe (PID: 1656)
      • FortNite [Brute&Checker] 1.0.0.exe (PID: 2172)
      • FortNite [Brute&Checker] 1.0.0.exe (PID: 4072)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3796)

    • Actions looks like stealing of personal data

      • STEALER_CRYPTED.exe (PID: 1656)

    • Stealing of credential data

      • STEALER_CRYPTED.exe (PID: 1656)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • FortNite [Brute&Checker] 1.0.0.exe (PID: 2172)

    • Creates files in the user directory

      • STEALER_CRYPTED.exe (PID: 1656)
      • FortNite [Brute&Checker] 1.0.0.exe (PID: 2172)

    • Reads the cookies of Google Chrome

      • STEALER_CRYPTED.exe (PID: 1656)

    • Starts CMD.EXE for commands execution

      • STEALER_CRYPTED.exe (PID: 1656)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: FortNite [Brute&Checker] 1.0.0.exe
PackingMethod: Normal
ModifyDate: 2019:04:14 21:09:06
OperatingSystem: Win32
UncompressedSize: 1669179
CompressedSize: 1561440
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs searchprotocolhost.exe no specs fortnite [brute&checker] 1.0.0.exe fortnite [brute&checker] 1.0.0.exe no specs stealer_crypted.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3856"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\4.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3132"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2172"C:\Users\admin\Desktop\FortNite [Brute&Checker] 1.0.0.exe" C:\Users\admin\Desktop\FortNite [Brute&Checker] 1.0.0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
description
Exit code:
0
Version:
7.0.0.0
4072"C:\Users\admin\AppData\Roaming\1337\FortNite [Brute&Checker] 1.0.0.exe" C:\Users\admin\AppData\Roaming\1337\FortNite [Brute&Checker] 1.0.0.exeFortNite [Brute&Checker] 1.0.0.exe
User:
admin
Company:
RanzerGameStudio
Integrity Level:
HIGH
Description:
FortNite SoftWare
Version:
1.0.0.0
1656"C:\Users\admin\AppData\Roaming\1337\STEALER_CRYPTED.exe" C:\Users\admin\AppData\Roaming\1337\STEALER_CRYPTED.exe
FortNite [Brute&Checker] 1.0.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3796cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\admin\AppData\Roaming\1337\STEALER_CRYPTED.exe"C:\Windows\system32\cmd.exeSTEALER_CRYPTED.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3404ping 1.1.1.1 -n 3 -w 3000 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
847
Read events
802
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
3856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3856.28570\FortNite [Brute&Checker] 1.0.0.exe
MD5:
SHA256:
3856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3856.28570\xNet.dll
MD5:
SHA256:
3856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3856.28570\Newtonsoft.Json.dll
MD5:
SHA256:
2172FortNite [Brute&Checker] 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsa5B5D.tmp
MD5:
SHA256:
1656STEALER_CRYPTED.exeC:\Users\admin\AppData\Local\Temp\TMPRS.0XC
MD5:
SHA256:
1656STEALER_CRYPTED.exeC:\Users\admin\AppData\Local\Temp\TMPVB.0XE
MD5:
SHA256:
1656STEALER_CRYPTED.exeC:\Users\admin\AppData\Local\Temp\TMPVD.0XC
MD5:
SHA256:
1656STEALER_CRYPTED.exeC:\Users\admin\AppData\Local\Temp\TMPZF.0XC
MD5:
SHA256:
1656STEALER_CRYPTED.exeC:\Users\admin\AppData\Local\Temp\TMPCD.0XC
MD5:
SHA256:
1656STEALER_CRYPTED.exeC:\Users\admin\AppData\Local\Temp\TMYTR.zip
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1656
STEALER_CRYPTED.exe
POST
200
185.22.155.227:80
http://u369151ls8.ha002.t.justns.ru/404.php
RU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1656
STEALER_CRYPTED.exe
185.22.155.227:80
u369151ls8.ha002.t.justns.ru
LLC Baxet
RU
malicious

DNS requests

Domain
IP
Reputation
u369151ls8.ha002.t.justns.ru
  • 185.22.155.227
malicious

Threats

PID
Process
Class
Message
1656
STEALER_CRYPTED.exe
A Network Trojan was detected
ET INFO Suspicious Windows NT version 7 User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4.rar