As an SOC analyst, I’ll guide you through a dynamic malware analysis using AnyRun. In this article, we’ll cover how to leverage AnyRun’s interactive sandbox to analyze a malicious file, explore its behavior, and interpret key outputs. Learn step-by-step how to upload malware, navigate the platform, and uncover critical insights to bolster your cybersecurity defenses.

You can take advantage of sandbox services/products to quickly analyze malware.

AnyRun is an interactive sandbox that you can use when you want to analyze malware quickly.

AnyRun has options for paid or free use. If you want to take advantage of it for free, all your analysis is visible to others; therefore, we do not recommend that you upload files that may contain personal data to AnyRun. Additionally, the free plan has limitations, including a time restriction on usage.

How can we use AnyRun for our malware analysis? What kind of outputs can we get? Let’s examine it together.

Let’s download the malware with hash 80b51e872031a2befeb9a0a13e6fc480 to analyze via AbuseCH (Click here to download).

We have to click on the “+” (New Task) button on the left menu to upload the malware we downloaded.

You can take advantage of sandbox services/products to quickly analyze malware.

AnyRun is an interactive sandbox that you can use when you want to analyze malware quickly.

AnyRun has options for paid or free use. If you want to take advantage of it for free, all your analysis is visible to others; therefore, we do not recommend that you upload files that may contain personal data to AnyRun. Additionally, the free plan has usage time restrictions.

How can we use AnyRun for our malware analysis? What kind of outputs can we get? Let’s examine it together.

Let’s download the malware with hash 80b51e872031a2befeb9a0a13e6fc480 to analyze via AbuseCH (Click here to download).

We have to click on the “+” (New Task) button on the left menu to upload the malware we downloaded.

1. You can take advantage of sandbox services / products to quickly analyze malware.
2. AnyRun is an interactive sandbox that you can use when you want to analyze malware quickly.
3. AnyRun has options for paid or free use. If you want to take advantage of it for free, all your analysis is visible to others; therefore, we do not recommend that you upload files that may contain personal data to AnyRun. Additionally, the free plan has usage time restrictions.
4. How can we use AnyRun for our malware analysis? What kind of outputs can we get? Let’s examine it together.
5. Let’s download the malware with hash 80b51e872031a2befeb9a0a13e6fc480 to analyze via AbuseCH (Click here to download).
6. We have to click on the “+” (New Task) button on the left menu to upload the malware we downloaded. he malware is in the section marked “2” in the image above.

You can take advantage of sandbox services/products to quickly analyze malware.

AnyRun is an interactive sandbox that you can use when you want to analyze malware quickly.

AnyRun has options for paid or free use. If you want to take advantage of it for free, all your analysis is visible to others; therefore, we do not recommend that you upload files that may contain personal data to AnyRun. In addition, the free plan has restrictions such as usage time.

How can we use AnyRun for our malware analysis? what kind of outputs can we get? Let’s examine it together.

Let’s download the malware with hash 80b51e872031a2befeb9a0a13e6fc480 to analyze via AbuseCH (Click here to download).

We have to click on the “+” (New Task) button on the left menu to upload the malware we downloaded.

With the “More Info” button on this panel, a page with detailed information about the process is opened. When we want to reach detailed information, we can use this section.

When the process information with 2680 ID is examined, the malware:

• Uses Task Scheduler,
• Writes a program to the file system whose compilation time is too old,
• Writes many files to the user directory

When we examine the process with ID 2616, we see that it is schtasks.exe belonging to Task Scheduler.

When we examine the “Command Line” parameters, we see that it creates a scheduled task named “Updates\neHneiobyhcrJJ”. The configurations for this schedule task are in the file “tmp5383.tmp”.

When we examine the scheduled task configuration file named tmp5383.tmp, we see that the program named “neHneiobyhcrJJ.exe” will run.

When we examine the process with ID 3140:

• This malware is recognized by AnyRun as AgentTesla.
• Steals credentials,
• Creating files in the user directory

When we examine the network connections made from panel number 3, we see that malware connects to smtp.godforeu.com.

With the help of the button on the right of the panel, we can examine the incoming/outgoing data.

When the network activities of the malware are examined, we find that the malware exfiltrates data with the SMTP protocol.

If you want to examine, you can reach the analysis made here (Click here).