analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

CRACKED%20VAPE.rar

Full analysis: https://app.any.run/tasks/6747b606-e436-4d87-ae89-e84731fe6c63
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: January 10, 2019, 19:56:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

43553213C7729A889D314A50C85818E1

SHA1:

BA982D147C43238993499560606CC9610603609D

SHA256:

F3C62CB0C1DB9250F4C3DCA891B53B969F7BBB5194D76FAF7FC53EFCE4174001

SSDEEP:

12288:q5YFZY78YFXOhZplqWSL0XdxPbbiqkS/8FqnkUfCHI:qa680OfSY3X/kS/8snkU7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Vape.exe (PID: 2844)
      • winlogon.exe (PID: 3796)
    • Changes the autorun value in the registry

      • Vape.exe (PID: 2844)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2968)
      • Vape.exe (PID: 2844)
    • Starts Internet Explorer

      • Vape.exe (PID: 2844)
    • Creates files in the user directory

      • Vape.exe (PID: 2844)
    • Loads DLL from Mozilla Firefox

      • winlogon.exe (PID: 3796)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3416)
    • Connects to unusual port

      • iexplore.exe (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe vape.exe iexplore.exe winlogon.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f4ded8fa-aae9-4365-a1f0-f571fa40c5a1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2844"C:\Users\admin\AppData\Local\Temp\Rar$EXa2968.20852\Vape.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2968.20852\Vape.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3416"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
Vape.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3796"C:\Users\admin\AppData\Roaming\install\winlogon.exe" C:\Users\admin\AppData\Roaming\install\winlogon.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
817
Read events
777
Write events
40
Delete events
0

Modification events

(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\f4ded8fa-aae9-4365-a1f0-f571fa40c5a1.rar
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
1
Text files
1 046
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416iexplore.exeC:\Users\admin\AppData\Local\Temp\UuU.uUutext
MD5:103BDC53031CFFB8D460FB0802209F9C
SHA256:7199231F27F2C3697CBACA53F49F4D291BF511EABDAF7FB4F17C634B88C8C32C
2844Vape.exeC:\Users\admin\AppData\Roaming\install\winlogon.exeexecutable
MD5:3D50C24B19B86D6FB5A38CD28A7B5975
SHA256:C0F19D24FE201326AAB8D6CFD5B61BFACEEE8A8FAF6E1492177C3D6B4A8465A8
3416iexplore.exeC:\Users\admin\AppData\Local\Temp\XxX.xXxtext
MD5:103BDC53031CFFB8D460FB0802209F9C
SHA256:7199231F27F2C3697CBACA53F49F4D291BF511EABDAF7FB4F17C634B88C8C32C
3796winlogon.exeC:\Users\admin\AppData\Local\Temp\IEWEB.abctext
MD5:9E2FBAF6FAE8C687AA4E519EED2CFEC9
SHA256:54F5A85E392B1498DC1D9E8E9E7D685237CBD33320593AEBFEC706D3F6F1CAA1
2968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2968.20852\Vape.exeexecutable
MD5:3D50C24B19B86D6FB5A38CD28A7B5975
SHA256:C0F19D24FE201326AAB8D6CFD5B61BFACEEE8A8FAF6E1492177C3D6B4A8465A8
2844Vape.exeC:\Users\admin\AppData\Local\Temp\XX--XX--XX.txtbinary
MD5:202082ABF0EAA2F3799440037D46E7E8
SHA256:24531E9FDACEC99BE5778E45A75774845DF7489DFAD7FBE9C4C31FD5ADCF9BCC
3416iexplore.exeC:\Users\admin\AppData\Roaming\logs.dattext
MD5:BF3DBA41023802CF6D3F8C5FD683A0C7
SHA256:4A8E75390856BF822F492F7F605CA0C21F1905172F6D3EF610162533C140507D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3416
iexplore.exe
179.156.249.212:95
CLARO S.A.
BR
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info