File name:

qilin.bin.zip

Full analysis: https://app.any.run/tasks/8a7ec0a7-8de1-49bc-bfb2-5c65fdce0c4f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 05, 2024, 22:05:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

D4EB7A8B7C34F37395F8E4C863F318E8

SHA1:

3A3AE71C365D089FD80B05C0AFD755E5CCFB52A6

SHA256:

F6E41D29AC9CF68BF48A280A1EDF05E6DC0FCCC5F6FE3709368FB567E3B5AA3E

SSDEEP:

24576:T3y+MHpJWriYNS5ZrrwVEPHcwif/UswkwefErFNflKtIDUKfhK6URCY9mdbtNb0Z:T3y+MHpJWriYNuZrrwVEPHcwif/Uswkf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3964)
      • qilin.exe (PID: 1588)

    • Deletes shadow copies

      • cmd.exe (PID: 1132)

    • Renames files like ransomware

      • qilin.exe (PID: 1588)

  • SUSPICIOUS

    • Creates files like ransomware instruction

      • qilin.exe (PID: 1588)

    • Starts CMD.EXE for commands execution

      • qilin.exe (PID: 1588)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3964)

    • Manual execution by a user

      • cmd.exe (PID: 1060)

    • Reads the computer name

      • qilin.exe (PID: 1588)

    • Dropped object may contain TOR URL's

      • qilin.exe (PID: 1588)

    • Creates files or folders in the user directory

      • qilin.exe (PID: 1588)

    • The dropped object may contain a URL to Tor Browser

      • qilin.exe (PID: 1588)

    • Checks supported languages

      • qilin.exe (PID: 1588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2024:05:30 20:04:24
ZipCRC: 0xfccf2f57
ZipCompressedSize: 783759
ZipUncompressedSize: 1642496
ZipFileName: qilin.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs qilin.exe no specs cmd.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1060"C:\Windows\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1132"cmd" /C "vssadmin.exe delete shadows /all /quiet"C:\Windows\System32\cmd.exeqilin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1588qilin.exe -password 1234C:\Users\admin\Desktop\qilin.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\qilin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1944vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3964"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\qilin.bin.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 625
Read events
3 611
Write events
14
Delete events
0

Modification events

(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\qilin.bin.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
121
Text files
38
Unknown types
3

Dropped files

PID
Process
Filename
Type
1588qilin.exeC:\Users\admin\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\AppData\Local\VirtualStore\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\Desktop\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\Contacts\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\Desktop\booksmature.rtf.MmXReVIxLVbinary
MD5:CD53722F31423CD529C2308EBF806781
SHA256:97AC1E9C8FA45216D790C8C4756ADC8C5E5D97BC4C2143B5451A1409ED19FA84
1588qilin.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestampbinary
MD5:D2BF833D4677DBF4B7D4535AE6271DC4
SHA256:50229BA24971F69EF9838A9B042B777162F0826D28E5490A6A564AB6BA1ADCFF
1588qilin.exeC:\Users\admin\Desktop\alsatellite.jpgbinary
MD5:267F87DABE90679BC0749A1215B47789
SHA256:6CEAAB210ABD9ABB2D85411B407F8961C2C56D80ACF9280E2710F812BAC323BA
1588qilin.exeC:\Users\admin\Desktop\homesprogramming.pngbinary
MD5:E9B51022E054BFA25B99296BEB37B0EB
SHA256:978049BB4B1D391D13459FBEF81A72B69FACD009F72B3749E2BA8465816EF93E
1588qilin.exeC:\Users\admin\Desktop\currentlylinux.pngbinary
MD5:217CF8DACADC8206A18FC2CC0E0C82F9
SHA256:FEEEE7F7CF09DC3E3829293085520A05E50E4D0896E7FBDB77E0DD1AECDE54E7
1588qilin.exeC:\Users\admin\Desktop\currentlylinux.png.MmXReVIxLVbinary
MD5:217CF8DACADC8206A18FC2CC0E0C82F9
SHA256:FEEEE7F7CF09DC3E3829293085520A05E50E4D0896E7FBDB77E0DD1AECDE54E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qilin.bin.zip