File name:

MangaMeeya.zip

Full analysis: https://app.any.run/tasks/339e5f69-fd24-48b4-975b-b778de697931
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Analysis date: March 20, 2025, 07:04:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arch-exec
arch-doc
arch-html
stealer
aspack
backdoor
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

A3EE98FB7645EA4D9B83924CE3868D40

SHA1:

39DE0771194F9AEA893AC14B5E0F98FF9603008E

SHA256:

D6DAD53093A9DA729A3BABE9589FCDDA02BD58544F76EECD052EB1076285FF66

SSDEEP:

98304:k79D6G7aRXhfIxqkt2iX2xODdvmmphhHAq3nE8HLRzRHfjAmTlkHRCBaW4lRT4+s:x726kUOvYC5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 2624)
    • Actions looks like stealing of personal data

      • upTVSr.exe (PID: 312)
  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 2624)
    • Executable content was dropped or overwritten

      • MangaMeeya.exe (PID: 1748)
      • upTVSr.exe (PID: 312)
    • Reads the Internet Settings

      • upTVSr.exe (PID: 312)
    • Reads security settings of Internet Explorer

      • upTVSr.exe (PID: 312)
    • Creates file in the systems drive root

      • ntvdm.exe (PID: 3116)
    • Connects to unusual port

      • upTVSr.exe (PID: 312)
    • Executing commands from a ".bat" file

      • upTVSr.exe (PID: 312)
    • There is functionality for taking screenshot (YARA)

      • MangaMeeya.exe (PID: 1748)
    • Starts CMD.EXE for commands execution

      • upTVSr.exe (PID: 312)
  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2624)
      • upTVSr.exe (PID: 312)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2624)
    • Create files in a temporary directory

      • MangaMeeya.exe (PID: 1748)
      • upTVSr.exe (PID: 312)
    • Checks supported languages

      • upTVSr.exe (PID: 312)
      • MangaMeeya.exe (PID: 1748)
    • Manual execution by a user

      • MangaMeeya.exe (PID: 1748)
      • notepad.exe (PID: 1936)
    • Checks proxy server information

      • upTVSr.exe (PID: 312)
    • Reads the machine GUID from the registry

      • upTVSr.exe (PID: 312)
    • Reads the computer name

      • upTVSr.exe (PID: 312)
      • MangaMeeya.exe (PID: 1748)
    • Creates files or folders in the user directory

      • upTVSr.exe (PID: 312)
    • Aspack has been detected

      • MangaMeeya.exe (PID: 1748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2022:10:10 22:24:00
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MangaMeeya/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
312C:\Users\admin\AppData\Local\Temp\upTVSr.exeC:\Users\admin\AppData\Local\Temp\upTVSr.exe
MangaMeeya.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\uptvsr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
948C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\0b557761.bat" "C:\Windows\System32\cmd.exeupTVSr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1028"C:\Windows\system32\ntvdm.exe" -i4 C:\Windows\System32\ntvdm.exe
upTVSr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1500"C:\Windows\system32\ntvdm.exe" -i3 C:\Windows\System32\ntvdm.exe
upTVSr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1748"C:\Users\admin\Desktop\MangaMeeya\MangaMeeya.exe" C:\Users\admin\Desktop\MangaMeeya\MangaMeeya.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\mangameeya\mangameeya.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
1936"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\dd_SetupUtility.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2016"C:\Windows\system32\ntvdm.exe" -i2 C:\Windows\System32\ntvdm.exeupTVSr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2624"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\MangaMeeya.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2748"C:\Windows\system32\ntvdm.exe" -i5 C:\Windows\System32\ntvdm.exe
upTVSr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
2 134
Read events
2 079
Write events
36
Delete events
19

Modification events

(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2624) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\MangaMeeya.zip
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
36
Suspicious files
6
Text files
56
Unknown types
0

Dropped files

PID
Process
Filename
Type
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\altermeeya文件关联.battext
MD5:FE0870FF0F70699FD437B5AF0188C28A
SHA256:35CEB847F8C3B5417AB4BBC6AFF84774220A9DF2D434C4C6EDA6BE369EC42960
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\MangaMeeya.deftext
MD5:91C1F8D07135D1B2F6B479052E970BCE
SHA256:2B89CC92E7180D3C1DC377CC519C47F371FE74C95CC3E32E1BC11DB61BF85CFA
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\ColorYUY2.deftext
MD5:ACB72D42026B1C9457D0773516573655
SHA256:9852B53BBC15B1DA58CDB6FB3347C91F6E31D3B337587B0D5DE7A3224F3BB53A
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\ColorYUY2_for_25.dllexecutable
MD5:29A858896917F387D51AA355886CB746
SHA256:66BACF4B214BB7E9EE36A412CC5D8E9F1EBB8FFF7C048684B047B3F6EB49C75A
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\AdjustColor.deftext
MD5:CC1D797BD7ACC9C922F84F8A06CCC600
SHA256:3A13DCF96272FF72061659B457427902F9E638D3DEAA4D15677AE9F2FB8581CB
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\SimpleResize.deftext
MD5:F8CAFD14562FDFC0EEB0BE3A9F8403E6
SHA256:B1F1E0D0250A062F82B0DF0B431E14A4877CE35D6AE0C891ADBB581BE81AE0D6
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\lanczos3.deftext
MD5:8B18B88C779B799D3DC5A42D685D1121
SHA256:CE0CAFD57287443062EFFE1D847BC91AF4BAA494D5D24541E3040F0840E8C7D7
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\lanczos3.dllexecutable
MD5:AAF168FECA33660A999DD9E455832209
SHA256:F0E4B2249A8BDD17999FA66EF5312FBC59B58B2D484554DD0FF067B22880A188
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\ColorYUV2.txttext
MD5:5407015F54FB849802E764AF18B359AE
SHA256:C97531EAB6468321DD8958A19ED373E85478528CDCA479A42F354598A492B65D
2624WinRAR.exeC:\Users\admin\Desktop\MangaMeeya\AvisynthPlugin\SimpleResize.dllexecutable
MD5:5AC5724A81F27EB8F856C29D7E1223F2
SHA256:4150229A895FD1C4756D11F95080CA873F707FF4256B1832B88B983DE2D1F94A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
11
DNS requests
2
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
312
upTVSr.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k2.rar
US
malicious
312
upTVSr.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k2.rar
US
malicious
312
upTVSr.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
US
malicious
312
upTVSr.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k3.rar
US
malicious
312
upTVSr.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k4.rar
US
malicious
312
upTVSr.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k5.rar
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
312
upTVSr.exe
3.229.117.57:799
ddos.dnsnb8.net
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
ddos.dnsnb8.net
  • 3.229.117.57
malicious

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Domain previously seen in multiple payload deliveries (ddos .dnsnb8 .net)
312
upTVSr.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
312
upTVSr.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
312
upTVSr.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
312
upTVSr.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
312
upTVSr.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
312
upTVSr.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
No debug info