analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NetFlix Checker by xRisky v2.rar

Full analysis: https://app.any.run/tasks/27a2cc61-87e3-4825-a647-3efc452f542e
Verdict: Malicious activity
Analysis date: January 24, 2022, 17:35:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

F8FB64E8D50CC6D9BF05D5C8E20D56C0

SHA1:

EDC49D759ADBA60C69A18BF9233E6E2035F1FCB0

SHA256:

D5E66C54CF7AC370D1701C48C73A8002F9437D8497D201EF1D784E813CD44945

SSDEEP:

196608:fzAgmwkpgI6+BaICCSF2+vAvhqTZSWxGOk+YxoByFphgMU:fzh4x6ovqs+BExo47OMU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NetFlix Checker by xRisky v2.exe (PID: 3132)
      • Launcher.exe (PID: 584)
      • NetCheck.exe (PID: 2608)
      • Secure System Shell.exe (PID: 1972)
      • Runtime Explorer.exe (PID: 3856)
      • Runtime Explorer.exe (PID: 2748)
      • Windows Services.exe (PID: 4036)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3796)
      • Launcher.exe (PID: 584)
      • NetCheck.exe (PID: 2608)

    • Writes to a start menu file

      • Launcher.exe (PID: 584)

    • Changes the autorun value in the registry

      • Launcher.exe (PID: 584)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3860)
      • NetFlix Checker by xRisky v2.exe (PID: 3132)
      • powershell.exe (PID: 2572)
      • Launcher.exe (PID: 584)
      • NetCheck.exe (PID: 2608)
      • Windows Services.exe (PID: 4036)
      • Secure System Shell.exe (PID: 1972)

    • Checks supported languages

      • WinRAR.exe (PID: 3860)
      • NetFlix Checker by xRisky v2.exe (PID: 3132)
      • Launcher.exe (PID: 584)
      • powershell.exe (PID: 2572)
      • NetCheck.exe (PID: 2608)
      • Windows Services.exe (PID: 4036)
      • Secure System Shell.exe (PID: 1972)
      • Runtime Explorer.exe (PID: 3856)
      • Runtime Explorer.exe (PID: 2748)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3860)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3860)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3860)
      • Launcher.exe (PID: 584)

    • Executes PowerShell scripts

      • Launcher.exe (PID: 584)

    • Creates files in the Windows directory

      • Launcher.exe (PID: 584)

    • Creates files in the user directory

      • Launcher.exe (PID: 584)

  • INFO

    • Manual execution by user

      • NetFlix Checker by xRisky v2.exe (PID: 3132)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 2572)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2572)

    • Dropped object may contain Bitcoin addresses

      • Launcher.exe (PID: 584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs netflix checker by xrisky v2.exe no specs launcher.exe powershell.exe no specs netcheck.exe windows services.exe no specs secure system shell.exe no specs runtime explorer.exe no specs runtime explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3860"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NetFlix Checker by xRisky v2.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3796"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3132"C:\Users\admin\Desktop\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe" C:\Users\admin\Desktop\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
584"C:\Users\admin\Desktop\NetFlix Checker by xRisky v2\debug\Launcher.exe" C:\Users\admin\Desktop\NetFlix Checker by xRisky v2\debug\Launcher.exe
NetFlix Checker by xRisky v2.exe
User:
admin
Integrity Level:
HIGH
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
2572"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2608"C:\Users\admin\Desktop\NetFlix Checker by xRisky v2\debug\NetCheck.exe" C:\Users\admin\Desktop\NetFlix Checker by xRisky v2\debug\NetCheck.exe
NetFlix Checker by xRisky v2.exe
User:
admin
Company:
__xRisky__
Integrity Level:
HIGH
Description:
NetFlix Checker by xRisky v2
Version:
1.0.0.0
4036"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}C:\Windows\IMF\Windows Services.exeLauncher.exe
User:
admin
Integrity Level:
HIGH
Description:
Windows Services
Version:
1.0.0.0
1972"C:\Windows\IMF\Secure System Shell.exe" C:\Windows\IMF\Secure System Shell.exeWindows Services.exe
User:
admin
Integrity Level:
HIGH
Description:
Secure System Shell
Version:
1.0.0.0
3856"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
2748"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Version:
1.00
Total events
6 424
Read events
6 345
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
6
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\debug\Launcher.exeexecutable
MD5:C6D4C881112022EB30725978ECD7C6EC
SHA256:0D87B9B141A592711C52E7409EC64DE3AB296CDDC890BE761D9AF57CEA381B32
2572powershell.exeC:\Users\admin\AppData\Local\Temp\0ne3fyuz.k1p.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exeexecutable
MD5:A936E1C25E761F0DAC98E9D42AD28637
SHA256:CC93D5CB201A68DD673A5CF55AC97723B226FB670A73DF2D29548BF25245C2A4
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\MetroSuite 2.0.dllexecutable
MD5:0D30A398CEC0FF006B6EA2B52D11E744
SHA256:8604BF2A1FE2E94DC1EA1FBD0CF54E77303493B93994DF48479DC683580AA654
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\debug\Ionic.Zip.dllexecutable
MD5:F6933BF7CEE0FD6C80CDF207FF15A523
SHA256:17BB0C9BE45289A2BE56A5F5A68EC9891D7792B886E0054BC86D57FE84D01C89
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\debug\NetCheck.exeexecutable
MD5:5767A86DEDD068E8F14F1570A9052303
SHA256:CC815FCC20A41A0A2BF9C1574518004327EBB889E666D964E095482C5996EF11
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\debug\xNet.dllexecutable
MD5:158DEFD55A804AA8D4D67BFDF7A4AF9C
SHA256:6C7EC4CC31A2CE0B97703B7A42E3448E9B87D96DDA12761CA24D8787AC27CFF1
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\debug\LICENCE.datcompressed
MD5:F3014A18051F4E596AB95DA9138F6F6B
SHA256:1F84A00808D5ECA122FDE7F20708F272C349FAE1EAA1129B5C694750F2E047D6
2572powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3860.40162\NetFlix Checker by xRisky v2\Qoollo.Turbo.dllexecutable
MD5:4E8246DF4EE956EC273C4BAA2054593C
SHA256:1172732FD0FE6B679F5C6BF750598133DC815622C55EF1FA84087087BF42B495
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NetFlix Checker by xRisky v2.rar