File name:

BD2.Net Injector.rar

Full analysis: https://app.any.run/tasks/b0b43116-a371-404a-bd71-9f34cef20141
Verdict: Malicious activity
Analysis date: July 15, 2024, 04:16:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C046CFF01CBED63ABA5A634C1718A5C9

SHA1:

7320B9F1AC5A2AB0CD484487B7F913686961C70C

SHA256:

E6951FF315401338D8C75F87ED983BB5880037B8C8897548774F153CC631C9E9

SSDEEP:

98304:JOOoON88ETuJXccpp5RQwOplWQYH0nTrWLgtlbcAwN246CX3NvxfI6w7OikjcqTu:94Me9nEIIy7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3400)
      • csc.exe (PID: 3584)
      • BD2.Net Injector.exe (PID: 2748)

    • Starts Visual C# compiler

      • BD2.Net Injector.exe (PID: 2748)

  • SUSPICIOUS

    • Reads the Internet Settings

      • BD2.Net Injector.exe (PID: 2748)

    • There is functionality for taking screenshot (YARA)

      • BD2.Net Injector.exe (PID: 2748)

    • Uses .NET C# to load dll

      • BD2.Net Injector.exe (PID: 2748)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3584)
      • BD2.Net Injector.exe (PID: 2748)

  • INFO

    • Manual execution by a user

      • BD2.Net Injector.exe (PID: 2748)

    • Reads the computer name

      • BD2.Net Injector.exe (PID: 2748)

    • Checks supported languages

      • BD2.Net Injector.exe (PID: 2748)
      • csc.exe (PID: 3584)
      • cvtres.exe (PID: 3364)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3400)

    • Reads the machine GUID from the registry

      • BD2.Net Injector.exe (PID: 2748)
      • cvtres.exe (PID: 3364)

    • Create files in a temporary directory

      • BD2.Net Injector.exe (PID: 2748)
      • cvtres.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe THREAT bd2.net injector.exe csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2748"C:\Users\admin\Desktop\BD2.Net Injector\BD2.Net Injector.exe" C:\Users\admin\Desktop\BD2.Net Injector\BD2.Net Injector.exe
explorer.exe
User:
admin
Company:
BD2 Co.
Integrity Level:
MEDIUM
Description:
BD2.Net Injector
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\bd2.net injector\bd2.net injector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3364C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES57BD.tmp" "c:\Users\admin\Desktop\BD2.Net Injector\CSC579D.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
3400"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BD2.Net Injector.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3584"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\fj_v4my3.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
BD2.Net Injector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
13 852
Read events
13 703
Write events
136
Delete events
13

Modification events

(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BD2.Net Injector.rar
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
5
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3400.32637\BD2.Net Injector\123.exeexecutable
MD5:FF56CE6ED4128BA8205D1C5CF9553C02
SHA256:2AFC150230AFBEDE0E38969A6673934D843295FE8BE6DB6E2B7EBD399A868687
3400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3400.32637\BD2.Net Injector\BD2.Net Injector.exeexecutable
MD5:F896FD2230EC80959E01C4D3EDE8CD70
SHA256:1876A63391A12016B8B5AE4FB7CC67D0F1AB163F51C673A79EE98E01FE01055F
2748BD2.Net Injector.exeC:\Users\admin\Desktop\BD2.Net Injector\files.resourcesbinary
MD5:CCCCD7863B914ABC8C958F1A3828EFE3
SHA256:AD4043C5C95AA4F74FE5375FF6431848DB52B548CEE26F7CB716AAB9446C83B9
2748BD2.Net Injector.exeC:\Users\admin\AppData\Local\Temp\fj_v4my3.0.cstext
MD5:77A147B5E6C7CF448C8899CA5AE421AC
SHA256:6B95262F66C4499E229582C0C24C6C8E746121B18D4CE1A8F113963FCF627B52
3400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3400.32637\BD2.Net Injector\scale_1200.pngimage
MD5:92C13C2B55F7EBD0D9BB8A9AC0E50FA8
SHA256:6D7C32A83A3C80693AA2BD9CBE2D1D0F4C6A460655548CDBFE7402C99A6B2B84
3584csc.exeC:\Users\admin\Desktop\BD2.Net Injector\CSC579D.tmpres
MD5:27E1EE53FEADC0F800F27908CFFD6862
SHA256:99C8F3F2EAFDE45535E21A63FA59CB9C771DECBB06148B513207DFF7B8B17C79
3364cvtres.exeC:\Users\admin\AppData\Local\Temp\RES57BD.tmpbinary
MD5:E452CDEB0826A5F631A4A100247B6B5D
SHA256:C07781FEF2F1C754FC089410FD476E1CC3716C8FDD4A894271F5457E4D7CFA03
3584csc.exeC:\Users\admin\Desktop\BD2.Net Injector\1234.pngexecutable
MD5:03819B42D827A93BDD4A7A2606309FAA
SHA256:AAA96F5CE3CD69DD4E22DD13E1EB63AEB95B9F862D56DFD99F640ADFF7118DA9
2748BD2.Net Injector.exeC:\Users\admin\AppData\Local\Temp\fj_v4my3.cmdlinetext
MD5:2D8DDD371174CA556B1D064B2A54B269
SHA256:616D757C5AFBE8535E0743868412064A8F68F4D79F98538D641DAEB5E63B7AF3
2748BD2.Net Injector.exeC:\Users\admin\Desktop\BD2.Net Injector\1234‮gnp.pngexecutable
MD5:03819B42D827A93BDD4A7A2606309FAA
SHA256:AAA96F5CE3CD69DD4E22DD13E1EB63AEB95B9F862D56DFD99F640ADFF7118DA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
DE
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
1372
svchost.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
1372
svchost.exe
GET
304
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
DE
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
239.255.255.250:3702
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
2.19.126.163:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
104.79.89.142:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 2.19.126.163
  • 2.19.126.137
  • 23.32.238.219
  • 23.32.238.201
  • 23.32.238.208
  • 23.32.238.178
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 104.79.89.142
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BD2.Net Injector.rar