analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Poenix Keylogger AIO.zip

Full analysis: https://app.any.run/tasks/9215283f-14fe-4f1f-b7ae-b17ff5385347
Verdict: Malicious activity
Analysis date: January 25, 2022, 03:33:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8A661305BC62C4EE76EAEF71C9965BDC

SHA1:

9F01A1DA2AF1002B0930A664D0043E5C79E501AC

SHA256:

DF9ECD91B0D24A1D0AD7F75A48D32DFEB9DD2453005C7A42BDF9B49C81A33DD5

SSDEEP:

196608:XyP8g/e62p1vo+zBYcOHx52yF0ev9+9rGdUlufPV4ZCK46qYfgFbaqJH4YafJ27r:ie68hVdXwUiUlunuh46IaqLATEP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2716)
      • px__p.exe (PID: 3388)
      • Explorer.EXE (PID: 1656)

    • Application was dropped or rewritten from another process

      • px__p.exe (PID: 3388)
      • px__p.exe (PID: 2088)

    • Drops executable file immediately after starts

      • vbc.exe (PID: 2912)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2252)
      • px__p.exe (PID: 3388)
      • vbc.exe (PID: 2912)
      • cvtres.exe (PID: 1784)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2252)
      • px__p.exe (PID: 3388)
      • vbc.exe (PID: 2912)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2252)
      • vbc.exe (PID: 2912)
      • px__p.exe (PID: 3388)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2252)

    • Reads the computer name

      • WinRAR.exe (PID: 2252)
      • px__p.exe (PID: 3388)

    • Reads internet explorer settings

      • px__p.exe (PID: 3388)

    • Executes scripts

      • px__p.exe (PID: 3388)

    • Reads Environment values

      • px__p.exe (PID: 3388)

    • Drops a file with too old compile date

      • px__p.exe (PID: 3388)

    • Application launched itself

      • Explorer.EXE (PID: 1656)

  • INFO

    • Manual execution by user

      • px__p.exe (PID: 3388)
      • px__p.exe (PID: 2088)

    • Checks supported languages

      • explorer.exe (PID: 3368)

    • Reads the computer name

      • explorer.exe (PID: 3368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:01:06 14:13:05
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Poenix Keylogger AIO/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs px__p.exe no specs px__p.exe vbc.exe cvtres.exe no specs explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2252"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Poenix Keylogger AIO.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2716"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2088"C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe" C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exeExplorer.EXE
User:
admin
Company:
Phoenix Keylogger
Integrity Level:
MEDIUM
Description:
Phoenix Keylogger
Exit code:
3221226540
Version:
2.1.0.0
3388"C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe" C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe
Explorer.EXE
User:
admin
Company:
Phoenix Keylogger
Integrity Level:
HIGH
Description:
Phoenix Keylogger
Exit code:
3489660927
Version:
2.1.0.0
2912"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\admin\AppData\Local\Temp\hl3iyhcv.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
px__p.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
12.0.51209.34209
1784C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES20DF.tmp" "C:\Users\admin\AppData\Local\Temp\vbc76545414DBDF4E32A9A58EF5BD7CFA.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exevbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft� Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.51209.34209 built by: FX452RTMGDR
1656C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3368"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
11 561
Read events
11 178
Write events
101
Delete events
0

Modification events

(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2252) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Poenix Keylogger AIO.zip
(PID) Process:(1656) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
41
Suspicious files
1
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\PeebCore.dllexecutable
MD5:128A51A403DDD07999E03E3A36D96579
SHA256:90F882851DF247E60CEF36644E63A7927B243FC8F81B5CCB1ECFF8E9564D81F2
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\key.txttext
MD5:F85BED186EDCDA64396F03C39C0CEAD3
SHA256:FE5A222BEF09901D2391BC64951E0514A7BBE5ACC562034D428305557AC37D20
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\IconExtractor.dllexecutable
MD5:36B46C48D2FBCDF839F0BB96BA20B386
SHA256:02707BE9D1E86187D99ED2DC91DF6335D093FBEC1EE4B65B5DC16161615EC2F9
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\dnlib.dllexecutable
MD5:754A721EE1F1869394EC24212BBD7F30
SHA256:A07EAF627F7CE270B0622DAD29BFCD6F8A9BC49701802F4ED2455FFEE7BC7307
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroSet UI.dllodttf
MD5:996E8CA6FFB661DB1822B8EE73A49391
SHA256:D405509CDD2B02CE0BD3E2087EEB9F55644B25C6269F743FF1F1B3BD0DAD526E
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
3388px__p.exeC:\Users\admin\AppData\Local\Temp\evb144A.tmpexecutable
MD5:F42B53932C92BFF192EAEE9349845421
SHA256:FF9B106F1B6B72881AACDE0AB84CEF2BB5870E57F6A0459EA7DD15D3CDBCD65E
3388px__p.exeC:\Users\admin\AppData\Local\Temp\evb13C9.tmpexecutable
MD5:5432FD5BE3C50427082EE5CE5029D019
SHA256:2F411C2B6935C46E2877AC1FA0BAB8D1B0FA481DA890B10A2B0133424709A795
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3388
px__p.exe
104.26.3.183:443
cracked.to
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
cracked.to
  • 104.26.3.183
  • 104.26.2.183
  • 172.67.73.245
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Poenix Keylogger AIO.zip