analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Debug.rar

Full analysis: https://app.any.run/tasks/460aec41-edab-437b-bd26-8958925f4c8a
Verdict: Malicious activity
Analysis date: November 16, 2019, 13:16:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

78AE9CC8BE660A5555AF8F5DC01799AB

SHA1:

C8103C2A69C25DC1591732B8144E1C0326EFB4B9

SHA256:

F9143EFB383F669D2D6012FA43194F229701A60F275C43EDE5A8BDC7F9ED0D51

SSDEEP:

98304:Nm5qBP4fYidnn12HK/XYmTymOi4HLVxbAjBBM2z:Nuk4wEX/XYmJO1AjL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SMSiT POF2.exe (PID: 2428)
      • SearchProtocolHost.exe (PID: 3464)
      • SMSiT POF2.exe (PID: 776)
    • Application was dropped or rewritten from another process

      • SMSiT POF2.exe (PID: 2428)
      • SMSiT POF2.exe (PID: 776)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1520)
  • INFO

    • Manual execution by user

      • SMSiT POF2.exe (PID: 2428)
      • SMSiT POF2.exe (PID: 776)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 1520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs smsit pof2.exe smsit pof2.exe

Process information

PID
CMD
Path
Indicators
Parent process
1520"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Debug.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3464"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2428"C:\Users\admin\Desktop\Debug\SMSiT POF2.exe" C:\Users\admin\Desktop\Debug\SMSiT POF2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
POF - CRACKER
Exit code:
0
Version:
1.0.0.0
776"C:\Users\admin\Desktop\Debug\SMSiT POF2.exe" C:\Users\admin\Desktop\Debug\SMSiT POF2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
POF - CRACKER
Exit code:
0
Version:
1.0.0.0
Total events
1 351
Read events
1 281
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\System.Windows.Forms.dll
MD5:
SHA256:
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\xNet.dll
MD5:
SHA256:
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\SMSiT POF.pdbpdb
MD5:FB496878E758168F0D5289A7125B7DDD
SHA256:4EB0F34C2C6383DE42E67828E9F9E57AA72FED9375783D6FFBC6A7D4740ED9BA
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\symbols.maptext
MD5:5375CFE14482C4D0CAACDCC0E9B418A1
SHA256:B969970BDCAD2424B615CA0502669811FFECA0EBB5008D7C3BF7BC1F65D0D8E6
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\System.Drawing.dllexecutable
MD5:6501CAEFB774E9F36DBCA541D99D8C9C
SHA256:0F84F4D9764B0EB7ECA237288671883F308B20CC3CED40923AF15E061B0E377B
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\SuperEngine.dllexecutable
MD5:1A747B12DC16AC54760AB52C06620EDF
SHA256:EA7F2057B2A5F65D2B25762AB2BC64C2A3AB106A3EF13B52E504A516A3C21418
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\SMSiT POF2.exeexecutable
MD5:CF86A1D9F4D4E534EA82E36B92C39542
SHA256:8C6F989FA4E95C0C81B515A1F940577B23B7B4066F966630037FA03E6D1C106A
1520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1520.21679\Debug\System.dllexecutable
MD5:E212D610EBBFE8FB77967BDBC1838006
SHA256:D1411F108CA845B2F40B7483B261E643C0AE1EC8E6D529CC5B487EFECB99619B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
776
SMSiT POF2.exe
GET
200
174.136.57.7:80
http://pofhack.safensa.club/logout.php?u=
US
text
5 b
suspicious
2428
SMSiT POF2.exe
GET
200
174.136.57.7:80
http://pofhack.safensa.club/logout.php?u=
US
text
5 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
776
SMSiT POF2.exe
174.136.57.7:80
pofhack.safensa.club
Colo4, LLC
US
suspicious
2428
SMSiT POF2.exe
174.136.57.7:80
pofhack.safensa.club
Colo4, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
pofhack.safensa.club
  • 174.136.57.7
suspicious

Threats

No threats detected
No debug info