analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Godzilla_loader_bulder.rar

Full analysis: https://app.any.run/tasks/a6b2e75b-3b14-47f6-9291-ab618e15e1f8
Verdict: Malicious activity
Analysis date: March 21, 2019, 08:06:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

CF9B8442C30BA42717224A8C0B040710

SHA1:

014618F7780AA06A4ADED1082CE4F739341CD2C0

SHA256:

F9331B3B4C5F4FA95CCF776C575F674D08D982CA7C8335AB473FDA9EC1F9574F

SSDEEP:

384:df4bDd6BK9g62lOUw+NXk8NFwd86fKDABnzcEGszhPByD:tCDdmKW6y7NVNud8SKMZzm6hPByD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • builder.exe (PID: 4044)
      • cracked.exe (PID: 3104)

  • SUSPICIOUS

    • Reads internet explorer settings

      • cracked.exe (PID: 3104)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2924)

    • Starts CMD.EXE for commands execution

      • cracked.exe (PID: 3104)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 10892
UncompressedSize: 24576
OperatingSystem: Win32
ModifyDate: 2017:08:04 21:37:02
PackingMethod: Normal
ArchivedFileName: builder.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe builder.exe no specs cracked.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Godzilla_loader_bulder.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
4044"C:\Users\admin\Desktop\builder.exe" C:\Users\admin\Desktop\builder.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3104"C:\Users\admin\Desktop\cracked.exe" C:\Users\admin\Desktop\cracked.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
3520"C:\Windows\system32\cmd.exe" /c del C:\Users\admin\Desktop\cracked.exe >> NULC:\Windows\system32\cmd.execracked.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
435
Read events
409
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1]
MD5:
SHA256:
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\errorPageStrings[1]
MD5:
SHA256:
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dnserrordiagoff_webOC[1]html
MD5:3948EF3D9F9FB9FD68BFBBCDBDCFC605
SHA256:1D5E9DC7114347EF6C6E7A89EBE73CAB3FA45CC9728943A5FFB3CB91ADF6E8FE
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]text
MD5:1A0563F7FB85A678771450B131ED66FD
SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\errorPageStrings[1]text
MD5:1A0563F7FB85A678771450B131ED66FD
SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]image
MD5:555E83CE7F5D280D7454AF334571FB25
SHA256:70F316A5492848BB8242D49539468830B353DDAA850964DB4E60A6D2D7DB4880
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2924.10138\cracked.exeexecutable
MD5:6B553D6D754366C808F4E03176CD88BE
SHA256:3A964036206A3FBA6D8DC120B9F36EE9D4774E5162CF5A412A1597C1CBB75281
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dnserrordiagoff_webOC[2]html
MD5:3948EF3D9F9FB9FD68BFBBCDBDCFC605
SHA256:1D5E9DC7114347EF6C6E7A89EBE73CAB3FA45CC9728943A5FFB3CB91ADF6E8FE
3104cracked.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3104
cracked.exe
GET
198.54.117.212:80
http://www.lll14042016.xyz/gate.php?from=@
US
malicious
3104
cracked.exe
GET
198.54.117.212:80
http://www.lll14042016.xyz/gate.php?from=@
US
malicious
3104
cracked.exe
GET
302
192.64.119.78:80
http://lll14042016.xyz/gate.php
US
html
65 b
malicious
3104
cracked.exe
GET
302
192.64.119.78:80
http://lll14042016.xyz/gate.php
US
html
65 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3104
cracked.exe
198.54.117.212:80
www.lll14042016.xyz
Namecheap, Inc.
US
malicious
3104
cracked.exe
192.64.119.78:80
lll14042016.xyz
Namecheap, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
shell.view
unknown
lll14042016.xyz
  • 192.64.119.78
malicious
www.lll14042016.xyz
  • 198.54.117.212
  • 198.54.117.210
  • 198.54.117.218
  • 198.54.117.217
  • 198.54.117.216
  • 198.54.117.215
  • 198.54.117.211
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Godzilla_loader_bulder.rar