ANY.RUN
@anyrun_app
Followers
25,653
Following
181
Media
980
Statuses
2,842
– Interactive Cloud-based Sandbox with an innovative approach to #malware analysis. Create a free account –
Joined February 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#NevaPlay
• 505927 Tweets
SAROCHA X MODERN GURU
• 415409 Tweets
#MEGANxRM
• 364022 Tweets
NAMJOON
• 276963 Tweets
Ravens
• 255789 Tweets
Linkin Park
• 129477 Tweets
Lamar
• 117853 Tweets
Mahomes
• 87903 Tweets
Chester
• 67560 Tweets
FOR ASIAN MEN WE PAVED THE WAY
• 46523 Tweets
ABOUTZU RUN AWAY OUT NOW
• 38482 Tweets
サブスク解禁
• 36147 Tweets
FANZA
• 30825 Tweets
小泉進次郎
• 30216 Tweets
Hayırlı Cumalar
• 28042 Tweets
エイリアン
• 27168 Tweets
Mark Andrews
• 23957 Tweets
#ZeeNunew1stFMinJapan
• 23531 Tweets
夫婦別姓
• 17794 Tweets
TransisiSEJUK PRABOWOJKW
• 17535 Tweets
Isaiah Likely
• 17497 Tweets
KitaKOMPAK KitaMENANG
• 16912 Tweets
ちいかわ寿司
• 16372 Tweets
アストロボット
• 16346 Tweets
モモンガ
• 16067 Tweets
#ドミノシェイクは水不使用
• 13463 Tweets
ニューヨーク
• 12810 Tweets
ハチワレ
• 12244 Tweets
知的レベル
• 11793 Tweets
書類送検
• 11384 Tweets
Pinned Tweet
🚀
#Windows10
64-bit is now available to ALL
#sandbox
users!
Yes, that includes those on our Community plan 🧑💻
Improve your threat analysis with a better detection rate of modern
#malware
🎉
Start a new analysis session and give it a try 👇
5
29
88
Hello everyone, we have some news to share with you today.
There's been an incident. And we're currently deep into the investigation of exactly what happened on our side:
One of our customers was compromised, and our employee received a phishing email from their account.
This
26
168
800
⚠ As expected, the incident with
#CrowdStrike
has been exploited to distribute malware.
🎯 In our example, an archive containing
#Hijackloader
, which delivers
#Remcos
to the infected system, is downloaded into the system under the guise of a
#hotfix
.
💢 The name of the ZIP
6
185
391
We are making every possible effort to continue to provide our service to the world.
11
41
312
Now you can open malicious link in the default browser at without downloading HTML files. Very useful for researching exploits. And it is already available on FREE plans!
#RigEK
example:
3
140
271
Hello everyone, as promised, we are back with the first results of our investigation.
In this report, we present the facts and timeline of the incident. We’ve also added our response actions. More updates will be provided later as we make further progress
6
79
264
We have mapped our signatures to
@MITREattack
. It will help you to better understand tactics and techniques used by attackers, to learn about different phases of malicious work, as well as, to better classify our signatures under the common standard for you.
4
134
256
We have developed new useful feature "Fake Net". It intercepts HTTP requests and returns 404 error, forcing malware to reveal its C2 links
#Emotet
cases:
Default:
With "Fake Net" feature:
In the second one, you can see all 5 URL's
16
134
250
New feature for you, guys! The process graph is a schematic visualization of all phases of malicious activity. It has a convenient format for a report or presentation. You can point it into your blog or share it. The graph will be included in the text report of our system.
5
94
234
5
24
233
⚠️ Please beware of a new threat ⚠️
We have observed a mass attack on users between February 23, 2024, and the present moment.
⚙️ Treat Details:
- The initial vector is an email with a ZIP attachment and the question, "I sent a material your side last day, have you able to get
3
72
216
Today we introduce Malware Trend Tracker – dynamic articles that collect the freshest info about various types of malware. The best way to learn how to analyze malware is now even easier and faster. Everything as we love in ANYRUN!
Watch, Read, Rerun! 😋
9
85
193
Hell Yeah, FREE Community version is released and ready for use! Go register your account and enjoy your hunting!
🔥
3
93
174
🎉 Today we are ready to release our API!
Now you can automate submissions and receive IOCs from your tasks in case it doesn’t need user interaction. API simplifies listing of your team history, making data access easier.
📒 Documentation available here:
7
85
174
Testing
#PrintNightmare
vulnerability on a live system is easy! Try ANYRUN to see how it works. You can take a look at the implementation of CVE-2021-1675 local privilege escalation written in PowerShell, made by
@_johnhammond
and
@calebjstewart
1
75
171
⚠️ We are observing a huge
#phishing
campaign that uses
#SharePoint
to store PDFs with
#phish
links
💢 The volume of phishing exploiting this technique is enormous — in just the last 24 hours, our service has seen over 500 public sandbox sessions with SharePoint phishing!
🎯
4
54
164
Tuesday's feature!
Do you like to use MITM proxy in , but want to inspect decoded SSL in Wireshark?
Now this is easy:
0⃣ Use the MITM option
1⃣ Download SSL Key Logs
2⃣ Import keys to Wireshark
3⃣ Enjoy!
#Formbook
example:
7
73
152
🚨 When seeking a fix users affected by the
#outage
can destroy their entire system.
Attackers are now distributing a data
#wiper
disguised as
#CrowdStrike
update. It decimates the system by overwriting files with zero bytes and then reports it over
#Telegram
.
See the
6
64
152
🛠️ Malware extractors are here :)
✅ Fast and high-quality detection of known families
✅ Receive ALL IOCs in 15 seconds via API
✅ Get data even from broken and sleeping samples
Data for 30 trending malware is available today even with a FREE account!
7
41
150
🎯
#Meterpreter
#backdoor
uses tricky
#steganography
by filtering image channels in yet another
#stegocampaign
🕵 A .NET executable file with a
#PowerShell
script inside downloads a PNG image from a remote C2 server
📝
#Malware
calculates a byte array from image channels by
0
51
144
Now with you can change locale to bypass malware geo evasion.
It includes changing of:
– Keyboard layout
– Country & currency
– Time zone & format
As example
#GandCrab
, doesn't work in ex-USSR
en-US:
ru-RU:
6
56
137
Hello everyone, today, we present our team's findings on the phishing campaign behind the recent incident:
- 72 Phishing Domains: Pretending to be real companies
- Advanced Techniques: Including direct human interaction
- Fake Websites:
4
43
138
#Malware
is actively exploiting the recently discovered WinRAR vulnerability
#CVE
-2023-38831
A CMD file disguises as a PDF file coexisting with a folder that has the same name. After clicking on this file, the
#Agenttesla
malware within the folder gets executed.
Analyze the
0
46
137
New features are coming, see you next week!
Have a nice weekend ;)
9
38
127
⚠️ As you probably know, a recent update deployed by
#CrowdStrike
resulted in a significant infrastructure outage, including users facing
#BSOD
, impacting companies and organizations globally.
While this incident stemmed from a faulty update rather than
#malicious
attack, it
3
56
132
Here is the report for CVE-2018-8373 exploit (Internet Explorer Memory Corruption Vulnerability)
#exploit
#malware
#cve20188373
2
81
129
Example of Excel document weaponized by PoC of CVE-2018-15982:
0
71
126
Yaaay! Today we got a request from the 2,000th user! And today we are happy to announce that we are opening x64 OS version for testing! Enjoy hunting!
8
48
121
Interactive analysis of
#BadRabbit
#Ransomware
@malwrhunterteam
@JAMESWT_MHT
@James_inthe_box
@GossiTheDog
@dvk01uk
3
90
107
📌
#DarkGate
Loader downloads an encrypted payload
🔓Decrypt the payload using
#CyberChef
Follow the instructions:
1⃣ Take the DarkGate sample in ANYRUN ➡️
2⃣ Download the received encrypted data marked by the rule:
☑️ PAYLOAD []
0
34
115
Good day, Hunters!
The new feature for those who love the hunt for phishing with !
Now you can choose a browser in which the URL will open, as well as UserAgent.
Enjoy your hunting! 😎
3
52
116
📌 Another malware campaign employs images with
#stego
Let's take a look at this sample ➡️
The
#malware
employs
#steganography
in several stages:
1️⃣ The modified "Google Update" app downloads multiple PE files and an image containing a DLL
2️⃣TrueUpdate,
0
42
111
Good news! From today all the OS are available for the Tester's plan:
✅ Vista 32/64 bit + Office 2007 32bit
✅ 7 32/64 bit + Office 2010 32/64 bit
✅ 8.1 32/64 bit + Office 2013 32/64 bit
✅ 10 32/64 bit + Office 2016 32/64 bit
6
30
103
#Raccoon
2.0 Malware analysis 👨💻
Let's revisit a malware analysis from ANYRUN. Raccoon remains a top
#cybersecurity
threat, even making our top 10 last week.
We're reviewing its execution & discussing challenges encountered in the analysis.👇
1
36
99
MUCH-AWAITED UPDATE HERE
Watch filtered IOCs with lots of useful information like hashes, C2 requests, dropped executable files. You can easily select and copy to the clipboard what you need. Look at the
#Emotet
as an example.
3
45
90
#ANYRUN
now detects
#certificates
of compromised production systems 🚨
⚠️ Our service now flags files signed with the AnyDesk version 8.0.6 certificate 'philandro Software GmbH' (Valid from: 03:12 AM 12.13.2021) ↘️
⚙️ The latest AnyDesk version 8.0.8 is
2
13
73
We know that you are already waiting for text reports.
Here are some examples of process graphs for the HTML/PDF version that will be available soon.
Have a great day!
5
34
90
🛠️ Malware Config for
#AgentTesla
successfully extracted!
Now all C2 data is immediately available, regardless of the protocol used:
📧 SMPT –
💾 FTP –
💬 Telegramm –
Also, all decrypted strings are a bonus!
3
22
90
📌
#GootLoader
is a loader distributed under a malware-as-a-service model
#MaaS
is an affiliate program that lowers the entry threshold for participants into malicious activities.
🤲To decode the traffic, we've specially crafted a recipe for you in
#CyberChef
Check out the
2
36
91
🔍 Just released:
#GuLoader
#malwareAnalysis
Learn how to identify
#obfuscation
patterns, apply code simplification strategies, and automate the analysis process with
#Ghidra
Scripting
More in our blog 👇
0
26
82
Our team of analytics has done a malware research of
#RecordBreaker
aka
#Raccoon
Stealer 2.0. We're ready to share our results, including the script to extract C2 servers.
Check out a new blog post and get a detailed report about Raccoon internals!
1
38
85
Make UX great again! 🔥 We start to update the service interface. Check out for the Task info block. Do you like it?
7
9
82
Here the report for analysis of PDF with embedded 'SettingContent-ms'.
Look how it works on Windows 10
Payload is loader for
#AmmyRat
(
http://169.239.129[.]117/cal
)
C2: 185.99.132[.]119:443
PDF->Deeplink->PS->WMI->Loader->AmmyRAT
2
63
81
Hello Hunters!
Do you want to try malware's killswitch? Use ANYRUN interactivity!
This ransomware checks the presence of a file "aaa_TouchMeNot_.txt" and doesn't run if it at the root of C:\ drive.
Without file:
With file:
Enjoy!
0
32
78
After a long time meet fresh
#Muddywater
! It stores base64 encoded logs in opendir on compromised website advanceorthocenter[.]com. At least 183 entries in log file by now. For persistance adds executable in registry and switch to active phase after reboot
3
35
79
Using LNK files for payload delivery is trending up📈
When
#MSOffice
blocked macros, crooks started to look for workarounds like applying LNK files and multiple system tools to deliver
#malware
:
LNK -> MSHTA -> PS -> CMD -> PS -> CSC ->
#Stealerium
1
28
79
Now we look up files on VirusTotal for you. Results are available in a special tab "Antiviruses". At the moment, we are not sending any submitted files to VT, so results for some new files can be unavailable.
3
31
75
#Emotet
, the most dangerous cyber threat is disrupted now. Learn how it evolved from a standard banking Trojan to a giant botnet📈
You can review the malware’s history in our new post - Rise and fall of Emotet 👉
#anyrun
#malware
#cybersecurity
1
41
77
Meet Annual Report 2020! 🥳
We have prepared the year review in numbers. Find out about the most active malware of the year, its types, service updates, events, and how we worked towards making your analysis successful:
0
31
76
The
#LummaStealer
malware can receive a configuration from the C&C server. The configuration is encrypted with a 32-byte XOR key, then encoded in Base64, and provided on request at the /c2conf URI.
Here is a
#Lumma
sample:
Use our
#CyberChef
recipe to
TOP10 last week's threats by uploads 📊
⬆️
#Redline
140 (116)
⬆️
#Agenttesla
114 (108)
⬆️
#Xworm
81 (30)
⬆️
#Njrat
77 (32)
⬆️
#Amadey
73 (43)
⬆️
#Dcrat
56 (32)
⬆️
#Lumma
54 (38)
⬆️
#Asyncrat
48 (39)
⬆️
#Dbatloader
38 (32)
⬇️
#Remcos
33 (49)
0
2
12
0
26
77
#APT
#MustangPanda
activity in New 2024 Year 🚨
We’ve noticed online activity by the operator affiliated with [
#MustangPanda
/
#EarthPreta
], employing the Backdoor [
#ToneShell
/
#Pubload
]
We’re sure there was a real person on the other end of the line because he made a typo 🤨
4
16
73
📌 Attackers are using a link to
#SMB
share in emails to bypass the warning message about running a potentially malicious file
⚙️ See the details:
⚙️ Downloaded
#Pikabot
signed by revoked
#certificate
➡️
🛰️ More samples and
#IOC
can be found at Threat
1
23
71
🚨 We made a complete breakdown of the
#Pure
malware family
Pure is sophisticated
#malware
that's gaining popularity. It features
#PureCrypter
, a powerful stealer
#PureLogs
, and as we discovered — a miner.
There's a lot of ground to cover. Let's dive in:
0
24
68
Crooks are gradually moving away from typical
#MSOffice
schemes and use other ways more often links, images and archive files.
We'd like to share 2 samples:
#Qbot
-
And
#Icedid
found by
@pr0xylife
-
2
29
67
Are you a junior
#malware
analyst?🧐
Find gifts from our partners & get lifehacks for training:
🎓what cybersecurity job to choose
🎓how to begin a journey in malware analysis
🎓what courses are useful
🎓how to become an expert with a sandbox
3
21
69
Today on our blog, we have expert insights from
@RussianPanda9xx
😱🔥
In this research, she provides an in-depth technical analysis of the
#AsukaStealer
malware, including its C2 communication, and compares it to
#ObserverStealer
.
Check it out! 🐼
2
23
71
Here is the analysis of the new version of GandCrab v5.1, released yesterday.
W7:
W10 (with an exploit):
#ransomware
#malware
#gandcrab
4
42
69
Another day, another
#OneNote
maldoc! 📄
We're seeing growing OneNote
#maldoc
usage lately: crooks leverage different lures, such as
#Office365
and blurred documents.
Check a fresh "Legal Notice" maldoc with
#Redline
as the payload 👇
0
38
71
We have united all the tasks where the
#coronavirus
is mentioned under the tag
#covid19
.
For now, Threat Intelligence feed contains about 1300 submissions and constantly growing. Search IOCs and samples by link.
Stay safe!
2
37
67
🔍 New addition to our Malware Trends Tracker:
#Snake
!
AKA
#404KeyLogger
, this
#Infostealer
written in .NET steals login credentials, captures keystrokes, and clipboard data. It's been a
#cybersecurity
threat since August 2019.
More 👉
1
23
66
Finally, it happened!!! Today is the last day when we accept beta testing requests. Free community version will be released the next week!
3
16
66
Here is a fresh sample of
#MuddyWater
#APT
. Enters the active phase only after a reboot to avoid detection from automated sandboxes:
Thanks to
@nao_sec
for this sample!
3
34
68
📢 Don't blow your chance!
's going to be integrated into the malware analysis course by
@vk_intel
and
@0verfl0w_
!
Check the details and get a 3-month plan for educational purpose for the Zero2auto students. You snooze, you lose 😉
1
21
67
How many malicious document templates does
#emotet
have? Check this out with ANYRUN's emotet-doc cluster! We're cluster all of them under the emotet-doc tag so there is no need to manual search, so explore them all!
0
30
68
📌 A
#phishing
campaign involving Google AMP, TikTok, Shorteners, and IPFS
🗨️ It seems there’s no limit to how many legitimate services can be abused to trick users into a single phishing page.
Techniques used in this campaign:
🔷 Multiple redirects through legitimate services
0
26
68
The
#Socks5System
Proxy Bot Traffic Analysis
Utilizes two types of C2 connections for communication, the proxy bot distributes roles between two servers:
- HTTP/80 C2 connection
- TCP/1074 Сlient connection streams and proxy server commands
Link to the sample ↘️
2
29
67
We've just started a series exploring the intricate world of malware
#obfuscation
↘️
☝️Learn how tools like .NET Reactor and SmartAssembly modify .NET code to block analysis, targeting .NET's Intermediate Language
This series aims to demystify
0
28
67
#Emotet
is back!
For 6 months, the infamous botnet has shown almost no activity, and now it’s distributing malspam.
Emotet uses a weaponized XLS file with a new lure to download payload and regsvr32 to run it.
✅Find samples in our Public Submissions!
1
32
65
We got a lot of attention on the weekend! 🔥🔥🔥
It helped us to test the service on a big amount of tasks and reveal a lot of different issues. We were able to fix some of them and continue working on maintaining stability.
3
8
62
Interested sample of RAT:
MSPUB->SCH->MSI->COM->SomeSortOfRAT?
PL:
http://officemysuppbox[.]com/staterepository
C2:
https://checksolutions[.]pw/ghuae/huadh.php
(7/64)
8
34
64
🚀 Huge announcement from
#ANYRUN
!
Meet our NEW service: Threat Intelligence Lookup! 🎉
Search across millions of
#IOCs
using 30+ parameters, and quickly link isolated indicators to threats.
Ready to revolutionize your
#ThreatIntelligence
?
Learn more ⬇️
1
10
60
#Emotet
comes with a new template! After a short "rest" crooks behind it started to deliver malspam with update. We've put them all together under the "emotet-doc" tag for you guys! Explore tasks and collect IOCs from one of the most common malware family
0
24
63
TOP10 last week's threats by uploads
⬆️
#Emotet
1371 (315) ☠️
⬆️
#njRAT
150 (146)
⬇️
#AgentTesla
118 (176)
⬇️
#FormBook
105 (121)
⬇️
#NanoCore
75 (84)
⬆️
#AsyncRAT
61 (49)
⬇️
#LokiBot
57 (67)
⬇️
#Qealler
55 (106)
⬆️
#Masslogger
44 (38)
⬇️
#Remcos
42 (68)
0
52
63
Adobe Flash
#CVE20184878
in the wild
What is this?
DOCX:
Tried to load
https://falcancoin[.]io/data/package32.zip
Payload (DLL):
Dropped DLL: 1/64
C2:
http://www.530hr[.]com/data/common.php
6
41
61