File name:

mbot_joysro1.zip

Full analysis: https://app.any.run/tasks/2fd5064f-41bd-4d6b-a46a-e5381776a482
Verdict: Malicious activity
Analysis date: July 24, 2021, 16:26:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2F2E21DF2A528DD230562DEEF2BB6EBA

SHA1:

F4B33AE91F1DB73BFFBC5F7D8D3B3EB5185E2F43

SHA256:

E6978C4F4FEEC5D8C153EE0CC12FFC7DDF43BCC2E38178C57E353B4E728BB2BE

SSDEEP:

98304:k32i9R3iZzSjQIBajCllV+MhFUmI4lzlaMd1OFjh0W8aauVevr660prteBvceTsy:k3xSZzSjNCilgQvlBOFjhX8aB8vr66o8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3708)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 1680)

    • Checks supported languages

      • WinRAR.exe (PID: 1680)

    • Reads the computer name

      • WinRAR.exe (PID: 1680)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1680)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 1680)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1680)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1680)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: mbot/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2016:12:31 14:38:26
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1680"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\mbot_joysro1.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3708"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 688
Read events
1 675
Write events
13
Delete events
0

Modification events

(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1680) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1680) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\mbot_joysro1.zip
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
8
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\config.initext
MD5:
SHA256:
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\picksettings.dattext
MD5:
SHA256:
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\softdata.bintext
MD5:
SHA256:
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\chatBlock.txtini
MD5:C240A27B5954378745EFFAC898944C63
SHA256:C9B520FBF28A8D9F2342B51D5A66CD4D191194B9D1BEB4C35F61A1ACDDB85E6C
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\merrsend.exeexecutable
MD5:7BEEB35C3BDE8CAAB110B5DC3A45218C
SHA256:62738C3E6E2DC132DBCE415191383C64B76E460F80AF5714D7EF4A4ACEABC25A
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\psilk.dllexecutable
MD5:F10823B20021569726929CBE2B3E9114
SHA256:BCC0A22AABEA03511150C83E0573CE73D0035D2DF7FE3302D0CF499066AA6457
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\pk2config.iniini
MD5:F84C2D34FFDB1D47BF79DB133281BE67
SHA256:DD0932B3FB45F9882CC177BFBBB847439F2A4B574B97B8DB23E3C622FE6F7456
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\desktop.initext
MD5:15478B340A8362BB79FD2A6EA0DDE1A0
SHA256:27991CD3E2892702F610FD5262898F1C3DFA37E2A05082FD793BCE61E99E2D98
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\msvcr100d.dllexecutable
MD5:D57E2EDA325BAC8081FD054209D736AE
SHA256:5E47C4CF08450EA73D10E705FDCE727ACE66F8BCF4984028B1B17C91B8F630A6
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1680.17914\mbot\mBotCrack.dllexecutable
MD5:45097BE0F7B5010A1A25DE470DD461EC
SHA256:6BFC916ECC15B4B9ED6888ABA5595DBFC67610A475276E3EBDC75FCDF9DA7A0F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mbot_joysro1.zip