File name:

Alien Crypter.zip

Full analysis: https://app.any.run/tasks/68367ce4-49a3-41ec-93e2-dd1c06d0c846
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 30, 2020, 02:10:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4D365487A5ED9ADDB228B8904750DB5C

SHA1:

ACB323A14F547BEC8A7B986FCE0217342CBC715A

SHA256:

DADF7BAA00BAE4D80D22953EFFC3CE60542762FCD31241667602EA275DB6398A

SSDEEP:

393216:ej5jDqHLkdtXv/HjSPkm2n7fhRebjSO+zBfSlP:etHT/tfq1+zBfSJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Alien Crypter Cracked.exe (PID: 2152)
      • Git Credential Manager for Windows.exe (PID: 1472)
      • Alien Crypter.exe (PID: 1684)
      • Csghost-v2.6.exe (PID: 2012)
      • csghost_temp.exe (PID: 3300)
      • CSGhost-v2.6.exe (PID: 1940)
      • injector.exe (PID: 2504)
      • Alien Crypter.exe (PID: 2936)
      • Alien Crypter.exe (PID: 1916)
      • CSGhost-v2.6.exe (PID: 2848)
      • injector.exe (PID: 2320)
      • Alien Crypter Cracked.exe (PID: 3272)

    • Changes the autorun value in the registry

      • Alien Crypter Cracked.exe (PID: 2152)
      • Git Credential Manager for Windows.exe (PID: 1472)
      • injector.exe (PID: 2504)

    • Drops executable file immediately after starts

      • Alien Crypter.exe (PID: 1684)
      • Csghost-v2.6.exe (PID: 2012)
      • CSGhost-v2.6.exe (PID: 2848)

    • Writes to a start menu file

      • injector.exe (PID: 2504)

    • Changes the login/logoff helper path in the registry

      • injector.exe (PID: 2504)

    • Loads dropped or rewritten executable

      • Alien Crypter.exe (PID: 2936)

    • Changes settings of System certificates

      • injector.exe (PID: 2504)

    • Disables Windows Defender

      • injector.exe (PID: 2504)

  • SUSPICIOUS

    • Creates files in the user directory

      • Alien Crypter Cracked.exe (PID: 2152)
      • Alien Crypter.exe (PID: 1684)
      • Csghost-v2.6.exe (PID: 2012)
      • injector.exe (PID: 2504)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 2788)
      • powershell.exe (PID: 1544)
      • powershell.exe (PID: 4068)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2744)
      • Alien Crypter.exe (PID: 1684)
      • Csghost-v2.6.exe (PID: 2012)
      • injector.exe (PID: 2504)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2744)
      • Alien Crypter Cracked.exe (PID: 2152)
      • Alien Crypter.exe (PID: 1684)
      • Csghost-v2.6.exe (PID: 2012)
      • CSGhost-v2.6.exe (PID: 2848)
      • injector.exe (PID: 2504)
      • Alien Crypter.exe (PID: 2936)

    • Starts itself from another location

      • Alien Crypter Cracked.exe (PID: 2152)

    • Application launched itself

      • CSGhost-v2.6.exe (PID: 1940)
      • injector.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • CSGhost-v2.6.exe (PID: 2848)

    • Executes PowerShell scripts

      • injector.exe (PID: 2504)

    • Reads Environment values

      • injector.exe (PID: 2504)

    • Creates a directory in Program Files

      • injector.exe (PID: 2320)

    • Adds / modifies Windows certificates

      • injector.exe (PID: 2504)

    • Drops a file that was compiled in debug mode

      • Alien Crypter.exe (PID: 2936)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:11:16 22:25:27
ZipCRC: 0xcd83fd1e
ZipCompressedSize: 232830
ZipUncompressedSize: 515072
ZipFileName: Alien Crypter/Alien Crypter Cracked.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
18
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe alien crypter cracked.exe git credential manager for windows.exe alien crypter.exe csghost-v2.6.exe alien crypter.exe no specs csghost-v2.6.exe injector.exe alien crypter.exe csghost-v2.6.exe cmd.exe no specs csghost_temp.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs injector.exe alien crypter cracked.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1108"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\injector.exe" -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeinjector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1472"C:\Users\admin\AppData\Roaming\microsoft\Git Credential Manager for Windows.exe"C:\Users\admin\AppData\Roaming\microsoft\Git Credential Manager for Windows.exe
Alien Crypter Cracked.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\git credential manager for windows.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1544"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\injector.exe" -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeinjector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1684"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\Alien Crypter.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\Alien Crypter.exe
WinRAR.exe
User:
admin
Company:
common
Integrity Level:
MEDIUM
Description:
shamanvoidcontortionist
Exit code:
0
Version:
14.1.84.77
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2744.9879\alien crypter\run if the file wont run\alien crypter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1720C:\Windows\system32\cmd.exe /c start csghost_temp.exeC:\Windows\system32\cmd.exeCSGhost-v2.6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1916"C:\Users\admin\AppData\Roaming\Alien Crypter.exe" C:\Users\admin\AppData\Roaming\Alien Crypter.exeAlien Crypter.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Revolution
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\alien crypter.exe
c:\systemroot\system32\ntdll.dll
1940"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exe
Csghost-v2.6.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2744.9879\alien crypter\run if the file wont run\csghost-v2.6.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2012"C:\Users\admin\AppData\Roaming\Csghost-v2.6.exe" C:\Users\admin\AppData\Roaming\Csghost-v2.6.exe
Alien Crypter.exe
User:
admin
Company:
program
Integrity Level:
MEDIUM
Description:
downcastmoney
Exit code:
0
Version:
2.28.42.44
Modules
Images
c:\users\admin\appdata\roaming\csghost-v2.6.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2152"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.8068\Alien Crypter\Alien Crypter Cracked.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.8068\Alien Crypter\Alien Crypter Cracked.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2744.8068\alien crypter\alien crypter cracked.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2320"C:\Users\admin\AppData\Roaming\injector.exe"C:\Users\admin\AppData\Roaming\injector.exe
injector.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\injector.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 363
Read events
2 042
Write events
320
Delete events
1

Modification events

(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2744) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Alien Crypter.zip
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
15
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1108powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRVZCJ4C3WS27XG5CDA1.temp
MD5:
SHA256:
2788powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3HNNZE07ZIUFWFSOGPW.temp
MD5:
SHA256:
1544powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GLNVK1N6JTRKMW5GWZ24.temp
MD5:
SHA256:
4068powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2DFGIUOZER3KV38QXUVZ.temp
MD5:
SHA256:
1684Alien Crypter.exeC:\Users\admin\AppData\Roaming\Csghost-v2.6.exeexecutable
MD5:
SHA256:
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Alien Crypter Cracked.exeexecutable
MD5:
SHA256:
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.8068\Alien Crypter\Run if the file wont run\Alien Crypter.exeexecutable
MD5:
SHA256:
2152Alien Crypter Cracked.exeC:\Users\admin\AppData\Roaming\microsoft\Git Credential Manager for Windows.exeexecutable
MD5:
SHA256:
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\Alien Crypter.exeexecutable
MD5:
SHA256:
2012Csghost-v2.6.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1472
Git Credential Manager for Windows.exe
83.249.111.102:1952
limeexploits.duckdns.org
Com Hem AB
SE
unknown
2504
injector.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
2320
injector.exe
83.249.111.102:1952
limeexploits.duckdns.org
Com Hem AB
SE
unknown
2936
Alien Crypter.exe
193.203.14.162:7898
malicious

DNS requests

Domain
IP
Reputation
limeexploits.duckdns.org
  • 83.249.111.102
malicious
pastebin.com
  • 104.23.99.190
  • 104.23.98.190
malicious

Threats

PID
Process
Class
Message
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1 ETPRO signatures available at the full report
Process
Message
Alien Crypter.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
CSGhost-v2.6.exe
Fuck off
CSGhost-v2.6.exe
Fuck off
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Alien Crypter.zip