File name:

qilin.bin.zip

Full analysis: https://app.any.run/tasks/8a7ec0a7-8de1-49bc-bfb2-5c65fdce0c4f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 05, 2024, 22:05:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

D4EB7A8B7C34F37395F8E4C863F318E8

SHA1:

3A3AE71C365D089FD80B05C0AFD755E5CCFB52A6

SHA256:

F6E41D29AC9CF68BF48A280A1EDF05E6DC0FCCC5F6FE3709368FB567E3B5AA3E

SSDEEP:

24576:T3y+MHpJWriYNS5ZrrwVEPHcwif/UswkwefErFNflKtIDUKfhK6URCY9mdbtNb0Z:T3y+MHpJWriYNuZrrwVEPHcwif/Uswkf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3964)
      • qilin.exe (PID: 1588)

    • Deletes shadow copies

      • cmd.exe (PID: 1132)

    • Renames files like ransomware

      • qilin.exe (PID: 1588)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • qilin.exe (PID: 1588)

    • Creates files like ransomware instruction

      • qilin.exe (PID: 1588)

  • INFO

    • Checks supported languages

      • qilin.exe (PID: 1588)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3964)

    • Reads the computer name

      • qilin.exe (PID: 1588)

    • Manual execution by a user

      • cmd.exe (PID: 1060)

    • The dropped object may contain a URL to Tor Browser

      • qilin.exe (PID: 1588)

    • Dropped object may contain TOR URL's

      • qilin.exe (PID: 1588)

    • Creates files or folders in the user directory

      • qilin.exe (PID: 1588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2024:05:30 20:04:24
ZipCRC: 0xfccf2f57
ZipCompressedSize: 783759
ZipUncompressedSize: 1642496
ZipFileName: qilin.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs qilin.exe no specs cmd.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1060"C:\Windows\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1132"cmd" /C "vssadmin.exe delete shadows /all /quiet"C:\Windows\System32\cmd.exeqilin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1588qilin.exe -password 1234C:\Users\admin\Desktop\qilin.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\qilin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1944vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3964"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\qilin.bin.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 625
Read events
3 611
Write events
14
Delete events
0

Modification events

(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\qilin.bin.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
121
Text files
38
Unknown types
3

Dropped files

PID
Process
Filename
Type
3964WinRAR.exeC:\Users\admin\Desktop\qilin.binexecutable
MD5:6A93E618E467ED13F98819172E24FFFA
SHA256:E90BDAAF5F9CA900133B699F18E4062562148169B29CB4EB37A0577388C22527
1588qilin.exeC:\Users\admin\Desktop\cattype.jpgbinary
MD5:13199B0E45129D5CCFFBCC7EB54B7A90
SHA256:F2315DA2D65A43ACC51B7F0CADD8F8999E134055648ABD486DD159212AC9CD59
1588qilin.exeC:\Users\admin\Desktop\cattype.jpg.MmXReVIxLVbinary
MD5:13199B0E45129D5CCFFBCC7EB54B7A90
SHA256:F2315DA2D65A43ACC51B7F0CADD8F8999E134055648ABD486DD159212AC9CD59
1588qilin.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.MmXReVIxLVbinary
MD5:D2BF833D4677DBF4B7D4535AE6271DC4
SHA256:50229BA24971F69EF9838A9B042B777162F0826D28E5490A6A564AB6BA1ADCFF
1588qilin.exeC:\Users\admin\Desktop\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestampbinary
MD5:D2BF833D4677DBF4B7D4535AE6271DC4
SHA256:50229BA24971F69EF9838A9B042B777162F0826D28E5490A6A564AB6BA1ADCFF
1588qilin.exeC:\Users\admin\.oracle_jre_usage\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\Contacts\README-RECOVER-MmXReVIxLV.txttext
MD5:21011D2A604B959ECD197111B371BDF0
SHA256:3E5836243B7764510EF51E6E09F4AF6D1ED3BACA78A89D50268E367A402F0076
1588qilin.exeC:\Users\admin\Desktop\alsatellite.jpgbinary
MD5:267F87DABE90679BC0749A1215B47789
SHA256:6CEAAB210ABD9ABB2D85411B407F8961C2C56D80ACF9280E2710F812BAC323BA
1588qilin.exeC:\Users\admin\Desktop\booksmature.rtfbinary
MD5:CD53722F31423CD529C2308EBF806781
SHA256:97AC1E9C8FA45216D790C8C4756ADC8C5E5D97BC4C2143B5451A1409ED19FA84
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qilin.bin.zip