analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Alien Crypter.zip

Full analysis: https://app.any.run/tasks/68367ce4-49a3-41ec-93e2-dd1c06d0c846
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 30, 2020, 02:10:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4D365487A5ED9ADDB228B8904750DB5C

SHA1:

ACB323A14F547BEC8A7B986FCE0217342CBC715A

SHA256:

DADF7BAA00BAE4D80D22953EFFC3CE60542762FCD31241667602EA275DB6398A

SSDEEP:

393216:ej5jDqHLkdtXv/HjSPkm2n7fhRebjSO+zBfSlP:etHT/tfq1+zBfSJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Git Credential Manager for Windows.exe (PID: 1472)
      • Alien Crypter Cracked.exe (PID: 2152)
      • Csghost-v2.6.exe (PID: 2012)
      • Alien Crypter.exe (PID: 1684)
      • csghost_temp.exe (PID: 3300)
      • Alien Crypter.exe (PID: 1916)
      • injector.exe (PID: 2504)
      • Alien Crypter.exe (PID: 2936)
      • CSGhost-v2.6.exe (PID: 1940)
      • CSGhost-v2.6.exe (PID: 2848)
      • injector.exe (PID: 2320)
      • Alien Crypter Cracked.exe (PID: 3272)

    • Changes the autorun value in the registry

      • Alien Crypter Cracked.exe (PID: 2152)
      • Git Credential Manager for Windows.exe (PID: 1472)
      • injector.exe (PID: 2504)

    • Drops executable file immediately after starts

      • Csghost-v2.6.exe (PID: 2012)
      • Alien Crypter.exe (PID: 1684)
      • CSGhost-v2.6.exe (PID: 2848)

    • Writes to a start menu file

      • injector.exe (PID: 2504)

    • Changes the login/logoff helper path in the registry

      • injector.exe (PID: 2504)

    • Loads dropped or rewritten executable

      • Alien Crypter.exe (PID: 2936)

    • Changes settings of System certificates

      • injector.exe (PID: 2504)

    • Disables Windows Defender

      • injector.exe (PID: 2504)

  • SUSPICIOUS

    • Creates files in the user directory

      • Csghost-v2.6.exe (PID: 2012)
      • Alien Crypter Cracked.exe (PID: 2152)
      • Alien Crypter.exe (PID: 1684)
      • injector.exe (PID: 2504)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 1544)
      • powershell.exe (PID: 4068)
      • powershell.exe (PID: 2788)

    • Executable content was dropped or overwritten

      • Alien Crypter Cracked.exe (PID: 2152)
      • WinRAR.exe (PID: 2744)
      • Csghost-v2.6.exe (PID: 2012)
      • Alien Crypter.exe (PID: 1684)
      • injector.exe (PID: 2504)
      • CSGhost-v2.6.exe (PID: 2848)
      • Alien Crypter.exe (PID: 2936)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2744)
      • Alien Crypter.exe (PID: 1684)
      • Csghost-v2.6.exe (PID: 2012)
      • injector.exe (PID: 2504)

    • Starts itself from another location

      • Alien Crypter Cracked.exe (PID: 2152)

    • Application launched itself

      • CSGhost-v2.6.exe (PID: 1940)
      • injector.exe (PID: 2504)

    • Executes PowerShell scripts

      • injector.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • CSGhost-v2.6.exe (PID: 2848)

    • Reads Environment values

      • injector.exe (PID: 2504)

    • Adds / modifies Windows certificates

      • injector.exe (PID: 2504)

    • Drops a file that was compiled in debug mode

      • Alien Crypter.exe (PID: 2936)

    • Creates a directory in Program Files

      • injector.exe (PID: 2320)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Alien Crypter/Alien Crypter Cracked.exe
ZipUncompressedSize: 515072
ZipCompressedSize: 232830
ZipCRC: 0xcd83fd1e
ZipModifyDate: 2020:11:16 22:25:27
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
18
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe alien crypter cracked.exe git credential manager for windows.exe alien crypter.exe csghost-v2.6.exe alien crypter.exe no specs csghost-v2.6.exe injector.exe alien crypter.exe csghost-v2.6.exe cmd.exe no specs csghost_temp.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs injector.exe alien crypter cracked.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2744"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Alien Crypter.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2152"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.8068\Alien Crypter\Alien Crypter Cracked.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.8068\Alien Crypter\Alien Crypter Cracked.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1472"C:\Users\admin\AppData\Roaming\microsoft\Git Credential Manager for Windows.exe"C:\Users\admin\AppData\Roaming\microsoft\Git Credential Manager for Windows.exe
Alien Crypter Cracked.exe
User:
admin
Integrity Level:
MEDIUM
1684"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\Alien Crypter.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\Alien Crypter.exe
WinRAR.exe
User:
admin
Company:
common
Integrity Level:
MEDIUM
Description:
shamanvoidcontortionist
Exit code:
0
Version:
14.1.84.77
2012"C:\Users\admin\AppData\Roaming\Csghost-v2.6.exe" C:\Users\admin\AppData\Roaming\Csghost-v2.6.exe
Alien Crypter.exe
User:
admin
Company:
program
Integrity Level:
MEDIUM
Description:
downcastmoney
Exit code:
0
Version:
2.28.42.44
1916"C:\Users\admin\AppData\Roaming\Alien Crypter.exe" C:\Users\admin\AppData\Roaming\Alien Crypter.exeAlien Crypter.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Revolution
Exit code:
3221226540
Version:
1.0.0.0
1940"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exe
Csghost-v2.6.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2504"C:\Users\admin\AppData\Roaming\injector.exe" C:\Users\admin\AppData\Roaming\injector.exe
Csghost-v2.6.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2936"C:\Users\admin\AppData\Roaming\Alien Crypter.exe" C:\Users\admin\AppData\Roaming\Alien Crypter.exe
Alien Crypter.exe
User:
admin
Integrity Level:
HIGH
Description:
Revolution
Version:
1.0.0.0
2848"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\CSGhost-v2.6.exe
CSGhost-v2.6.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3
Total events
2 363
Read events
2 042
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1108powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRVZCJ4C3WS27XG5CDA1.temp
MD5:
SHA256:
2788powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3HNNZE07ZIUFWFSOGPW.temp
MD5:
SHA256:
1544powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GLNVK1N6JTRKMW5GWZ24.temp
MD5:
SHA256:
4068powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2DFGIUOZER3KV38QXUVZ.temp
MD5:
SHA256:
2788powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1324d1.TMPbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Alien Crypter Cracked.exeexecutable
MD5:F57A470653A397D932ED95BA7203FE1C
SHA256:72E134FB5C5AF5A4A5C41089012062EA13D5616D016A9E73FFADA33CC564FBA9
1108powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF132389.TMPbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
1684Alien Crypter.exeC:\Users\admin\AppData\Roaming\Csghost-v2.6.exeexecutable
MD5:92D183608B7FD62EB5D14693004F9B31
SHA256:1F18DFF9A713A0B18CB3D4E6C5F2D8A6986A42BDC1C87038D825158E1E580A95
2848CSGhost-v2.6.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.9879\Alien Crypter\Run if the file wont run\csghost_temp.exeexecutable
MD5:A16B0993CD91B1111C642D28FD48BDD8
SHA256:266133CEB1DE491D66E332A58C9C45DAA17E569F6D865CDD46A81872102F07E9
1544powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1324f0.TMPbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2504
injector.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
2936
Alien Crypter.exe
193.203.14.162:7898
malicious
2320
injector.exe
83.249.111.102:1952
limeexploits.duckdns.org
Com Hem AB
SE
unknown
1472
Git Credential Manager for Windows.exe
83.249.111.102:1952
limeexploits.duckdns.org
Com Hem AB
SE
unknown

DNS requests

Domain
IP
Reputation
limeexploits.duckdns.org
  • 83.249.111.102
malicious
pastebin.com
  • 104.23.99.190
  • 104.23.98.190
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1 ETPRO signatures available at the full report
Process
Message
Alien Crypter.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
CSGhost-v2.6.exe
Fuck off
CSGhost-v2.6.exe
Fuck off
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Alien Crypter.exe
?g
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Alien Crypter.zip