analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BitCoin Private Key Finder.zip

Full analysis: https://app.any.run/tasks/1789f612-3537-49b9-9c86-18dbda137bd7
Verdict: Malicious activity
Analysis date: January 24, 2022, 17:16:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6D1108B20FAAC324D259588C4398C31F

SHA1:

F90E71A475DFCF31D2DCA5D1E98717418E7D4281

SHA256:

E1BFDF5D83FA14C9BD54109306BDC04D70F2133CA2309400DA487CC1B16A35F9

SSDEEP:

98304:gIepfby9+WDN9FrVwOcTDuCf19XVJeZvmZ7ySJbsGX:DSfbovR9FrVwlvuCf1ZVJWvkfwQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • BitCoin Private Key Finder.exe (PID: 3524)

    • Application was dropped or rewritten from another process

      • BitCoin Private Key Finder.exe (PID: 3524)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3504)
      • BitCoin Private Key Finder.exe (PID: 3524)

    • Checks supported languages

      • BitCoin Private Key Finder.exe (PID: 3524)
      • WinRAR.exe (PID: 3504)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3504)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3504)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3504)

    • Creates files in the program directory

      • BitCoin Private Key Finder.exe (PID: 3524)

    • Reads Environment values

      • BitCoin Private Key Finder.exe (PID: 3524)

  • INFO

    • Reads settings of System Certificates

      • BitCoin Private Key Finder.exe (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Microsoft.Extensions.Logging.Abstractions.dll
ZipUncompressedSize: 43512
ZipCompressedSize: 19776
ZipCRC: 0xa4e8bf39
ZipModifyDate: 2016:06:22 09:14:28
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe bitcoin private key finder.exe

Process information

PID
CMD
Path
Indicators
Parent process
3504"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BitCoin Private Key Finder.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3524"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\BitCoin Private Key Finder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\BitCoin Private Key Finder.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Total events
4 103
Read events
4 059
Write events
44
Delete events
0

Modification events

(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3504) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BitCoin Private Key Finder.zip
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\Target\Wallets.txt
MD5:
SHA256:
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\NBitcoin.dllexecutable
MD5:7CDF4730FA13164F019A3477298576CD
SHA256:DEFEDF09303295EFF49EB88F8BC17E25CE189E2C6F54B95F8DEFF8ACAB726458
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\Newtonsoft.Json.dllexecutable
MD5:2B8093898E84AEB87BB476FB9685E584
SHA256:E5FA1EC7205FF6CCA95EB14560E1C70D7D39E86D3A89552448147DCB89243048
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\BitCoin Private Key Finder.exeexecutable
MD5:FD261F013BB0BB07B2A829F366FC95AD
SHA256:C66C8C8CD4B96FB5CC384FA79EBADC043B3BB37C1A72D40A646E43BEDB76A52F
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\QBitNinja.Client.dllexecutable
MD5:A1B07FB4462F97D7A9654D76F46B2A6E
SHA256:7DCB504C6545C1752514C45F98A637A8DF6CC94D3590F51C74CB3FD4847C1841
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\System.Buffers.dllexecutable
MD5:775985A0B99BD5B2CF3D231A279660CE
SHA256:E0DFE400D224DBBE40F22F6C66B995FFC350F4105F57FB587D9C59E911D912BE
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.26034\Microsoft.Extensions.Logging.Abstractions.dllexecutable
MD5:73BF8E0F455668D5BC6DCA8DBC2750D2
SHA256:D331EDF349A4CF8173B29DA9BF30101791F94C63CF68A68DA0EE9328F8704B98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3524
BitCoin Private Key Finder.exe
23.102.12.43:443
api.qbit.ninja
Microsoft Corporation
IE
unknown

DNS requests

Domain
IP
Reputation
api.qbit.ninja
  • 23.102.12.43
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BitCoin Private Key Finder.zip