File name:

CHEAT.zip

Full analysis: https://app.any.run/tasks/5536d299-22b3-4813-b9f6-1d2836b02c87
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 15, 2022, 02:46:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
evasion
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EE2F3420DAB653BEFFE6464AA3743BD4

SHA1:

A3914CC7864C18D584616A08C88C2308CD14FE8F

SHA256:

E6382E08A8AF84A913695406B3C76ED502E98E24CF230BC4B8EEABE6499524C0

SSDEEP:

49152:oUaER91qYDQiH9jf07X0TXZl482F8WvV8IfGUli0hSGxVZulx:rpO7X0TJl482+Ilg0hlxvcx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealing of credential data

      • Downloader.exe (PID: 1416)

    • Steals credentials from Web Browsers

      • Downloader.exe (PID: 1416)

    • Application was dropped or rewritten from another process

      • Downloader.exe (PID: 1416)
      • Downloader.exe (PID: 3996)

    • Actions looks like stealing of personal data

      • Downloader.exe (PID: 1416)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2152)

    • Checks supported languages

      • Downloader.exe (PID: 1416)
      • WinRAR.exe (PID: 2152)
      • Downloader.exe (PID: 3996)

    • Reads the computer name

      • Downloader.exe (PID: 1416)
      • WinRAR.exe (PID: 2152)
      • Downloader.exe (PID: 3996)

    • Reads the cookies of Mozilla Firefox

      • Downloader.exe (PID: 1416)

    • Checks for external IP

      • Downloader.exe (PID: 1416)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2152)

    • Reads Environment values

      • Downloader.exe (PID: 1416)

  • INFO

    • Manual execution by user

      • Downloader.exe (PID: 3996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: unins000.dat
ZipUncompressedSize: 94615
ZipCompressedSize: 5481
ZipCRC: 0xb9c0830f
ZipModifyDate: 2021:12:22 17:45:24
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe downloader.exe downloader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1416"C:\Users\admin\AppData\Local\Temp\Rar$EXa2152.46838\Downloader.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2152.46838\Downloader.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
gosgo
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$exa2152.46838\downloader.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2152"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CHEAT.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3996"C:\Users\admin\Desktop\Downloader.exe" C:\Users\admin\Desktop\Downloader.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
gosgo
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\downloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
Total events
1 666
Read events
1 623
Write events
43
Delete events
0

Modification events

(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2152) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\CHEAT.zip
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2152) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
0
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2152.46838\Downloader.exeexecutable
MD5:
SHA256:
2152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2152.46838\unins000.datdat
MD5:
SHA256:
2152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2152.46838\INSTRUCTIONS.txttext
MD5:
SHA256:
1416Downloader.exeC:\Users\admin\Documents\qwrto5yn.hbosqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
1416Downloader.exeC:\Users\admin\Documents\wk0w2uip.qldsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
2152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2152.49077\Downloader.exeexecutable
MD5:
SHA256:
1416Downloader.exeC:\Users\admin\Documents\ksdwaex5.h2wsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
3
DNS requests
3
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1416
Downloader.exe
GET
403
34.117.59.81:80
http://ipinfo.io/185.192.69.73
US
html
1.55 Kb
shared
1416
Downloader.exe
POST
200
185.178.208.155:80
http://xfilesebetreadline.ru/u0028.php
RU
text
19 b
malicious
1416
Downloader.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
US
html
105 b
shared
1416
Downloader.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
US
html
105 b
shared
1416
Downloader.exe
GET
403
34.117.59.81:80
http://ipinfo.io/185.192.69.73
US
html
1.55 Kb
shared
1416
Downloader.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
US
html
105 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1416
Downloader.exe
193.122.130.0:80
checkip.dyndns.org
Oracle Corporation
US
malicious
1416
Downloader.exe
185.178.208.155:80
xfilesebetreadline.ru
Ddos-guard Ltd
RU
malicious
1416
Downloader.exe
34.117.59.81:80
ipinfo.io
US
whitelisted

DNS requests

Domain
IP
Reputation
checkip.dyndns.org
  • 193.122.130.0
  • 132.226.8.169
  • 131.186.113.70
  • 193.122.6.168
  • 132.226.247.73
  • 158.101.44.242
shared
ipinfo.io
  • 34.117.59.81
shared
xfilesebetreadline.ru
  • 185.178.208.155
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
AV INFO Query to checkip.dyndns. Domain
1416
Downloader.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ipinfo.io
1416
Downloader.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
1416
Downloader.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
1416
Downloader.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ipinfo.io
1416
Downloader.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
1416
Downloader.exe
A Network Trojan was detected
ET TROJAN Win32/X-Files Stealer Activity
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CHEAT.zip