analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Wizzy 1.0 [STABLE].rar

Full analysis: https://app.any.run/tasks/0a64fa3e-93be-4fe1-8529-944d1c259201
Verdict: Malicious activity
Analysis date: May 30, 2020, 05:48:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

7B4BB001EF638D383DB5D25D98422DE1

SHA1:

A1A60921C9085CBCA879F74682FE17609831751D

SHA256:

EE548018D5AD976A9080021F2699D612601EF5E30CFE62FC6150F599C247C244

SSDEEP:

24576:zcvUw05mZTVxCgZa+FoGYoA2HvFS7gH9fJGPH/2SpSI3iRaAV2tG6/ad:zcMw05mBCE3fVpdqgdwv9UIzAVhf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Wizzy.exe (PID: 3340)
    • Application was dropped or rewritten from another process

      • Wizzy.exe (PID: 3340)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2832)
    • Creates files in the program directory

      • Wizzy.exe (PID: 3340)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe wizzy.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Wizzy 1.0 [STABLE].rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3340"C:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Wizzy.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Wizzy.exe
WinRAR.exe
User:
admin
Company:
iL0nked is nice
Integrity Level:
MEDIUM
Description:
Wizzy
Version:
1.0.0.0
4036"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2832.7297\New Text Document (3).txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
514
Read events
472
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Discord.Net.Rest.dllexecutable
MD5:88918944E9F9CBA802986ACC328561D7
SHA256:734D1CD614E1B75536AA75AB30538C7EBBBE2AA2887DDC14DB4514811451780B
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Discord.Net.WebSocket.dllexecutable
MD5:971281F3F2490C8F4908627D5F61987F
SHA256:B8163917A337A9638DBB8FCA5278D68B8AD2BA420E67810E17F9A78F69698708
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2832.7297\New Text Document (3).txttext
MD5:24A4AA3C5DDB19475856706F835CE74C
SHA256:4366B327EF0ED8E7ED8419532FDC09015A269EC4253C31FA621FA96E17B6A8C0
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Wizzy.exeexecutable
MD5:45E82A752360E0FCB01AF666D4CF0236
SHA256:E0753B95AA5A366729D15547CFE3E7A2FAEE051FDD69AC828F5F8416807E3A7A
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\New Text Document (3).txttext
MD5:24A4AA3C5DDB19475856706F835CE74C
SHA256:4366B327EF0ED8E7ED8419532FDC09015A269EC4253C31FA621FA96E17B6A8C0
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\System.Collections.Immutable.dllexecutable
MD5:AAD3B7C5828E16B4C8071E5AD64B3F7D
SHA256:A8E9CE5D4DB1897A939E60860154617300B0DFA4C4D3E10341F21AF0DE4BBFD5
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Discord.Net.Core.dllexecutable
MD5:40E996C611EDB53F37B4FBB69C4A5DD2
SHA256:B89083E8DAE8B40ACBFB383844F30A3020925ACFAB4A97333DF8DEC1B5F97334
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\readme.txttext
MD5:D20ED81AE5B258CA643662F3157E2037
SHA256:EE3BCB5719C625AB79EC62117D4419F2ABF3EA1ADF62D3B090E4084E42399FE2
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\Settings.jsontext
MD5:3B16BAAE1105255B292132784D6FBB97
SHA256:07C430FF9D8DAD380C21C891E763BA0C2DEFD0F7FE9B8E2642973D30FED75AF2
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2832.6827\Wizzy 1.0 [STABLE]\WizzySettings.dllexecutable
MD5:8C4287195E98DD1F722AA3881F46471A
SHA256:EAF70C365A11CE6D7CF9C3257B8B8FD607AA9D30FE5A9080351C3AAA7642B60F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
Wizzy.exe
162.159.130.233:443
discordapp.com
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
discordapp.com
  • 162.159.130.233
  • 162.159.135.233
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.134.233
whitelisted

Threats

No threats detected
No debug info