analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Док-ы 30.05.exe.001

Full analysis: https://app.any.run/tasks/efd0f1ed-aeb6-483a-b1f4-f02970ea6a52
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: September 11, 2019, 06:47:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
redaman
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

148D2F7D7A7FE7797E6842FFDC06DC04

SHA1:

C7DD73CB90C47CD72478725D249E98A509716077

SHA256:

10EEE14B17F5A062DB57EA9A590A728B27821DB3AB96A74C175EE43D92627596

SSDEEP:

6144:Mh6ekDVT0FLJVeP2H/UahE84svdQFlGkCWh+d21fAhkmpRDImB:S6ekDVT01qPnLoWFQkp+E1fAhRB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Док-ы 30.05.exe (PID: 2600)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2896)
      • rundll32.exe (PID: 3412)
      • WinRAR.exe (PID: 3528)
      • explorer.exe (PID: 276)
    • Changes the autorun value in the registry

      • Док-ы 30.05.exe (PID: 2600)
    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 3412)
    • Redaman was detected

      • rundll32.exe (PID: 2896)
      • rundll32.exe (PID: 3412)
  • SUSPICIOUS

    • Creates files in the program directory

      • rundll32.exe (PID: 3412)
    • Uses RUNDLL32.EXE to load library

      • Док-ы 30.05.exe (PID: 2600)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3528)
      • Док-ы 30.05.exe (PID: 2600)
      • rundll32.exe (PID: 3412)
    • Executed via Task Scheduler

      • rundll32.exe (PID: 2896)
    • Connects to server without host name

      • rundll32.exe (PID: 2896)
  • INFO

    • Reads the hosts file

      • rundll32.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe док-ы 30.05.exe #REDAMAN rundll32.exe #REDAMAN rundll32.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3528"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Док-ы 30.05.exe.001.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2600"C:\Users\admin\AppData\Local\Temp\Rar$EXa3528.47117\Док-ы 30.05.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3528.47117\Док-ы 30.05.exe
WinRAR.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
3412rundll32.exe rgv.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exe
Док-ы 30.05.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2896rundll32.exe "C:\ProgramData\2daf8815353e\2eac8b16363d.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
276C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
469
Read events
447
Write events
22
Delete events
0

Modification events

(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3528) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Док-ы 30.05.exe.001.rar
(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3412rundll32.exeC:\ProgramData\2daf8815353e\2eac8b16363d.datexecutable
MD5:981D570D3D2F33F76346AE5667852FA8
SHA256:4DA77354B0139E77D956D581D26070D86934D1F6DB2BA222D71F208367B41E97
2600Док-ы 30.05.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\rgv.dllexecutable
MD5:981D570D3D2F33F76346AE5667852FA8
SHA256:4DA77354B0139E77D956D581D26070D86934D1F6DB2BA222D71F208367B41E97
3528WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3528.47117\Док-ы 30.05.exeexecutable
MD5:F8EAEF7E8E42158C4D19D7AB04114792
SHA256:7D9D43BAFE4C0F2F8268B22FED575B12944F217F80378EC84000D83B8AEC3D60
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
14
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2896
rundll32.exe
POST
185.203.116.89:80
http://185.203.116.89/index.php
BG
malicious
2896
rundll32.exe
POST
185.205.210.233:80
http://185.205.210.233/index.php
BG
malicious
2896
rundll32.exe
POST
185.205.210.233:80
http://185.205.210.233/index.php
BG
malicious
2896
rundll32.exe
POST
185.203.116.89:80
http://185.203.116.89/index.php
BG
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2896
rundll32.exe
217.12.210.54:53
ITL Company
UA
malicious
2896
rundll32.exe
188.165.200.156:53
OVH SAS
FR
malicious
2896
rundll32.exe
185.203.116.89:80
BelCloud Hosting Corporation
BG
malicious
2896
rundll32.exe
91.217.137.37:53
Meganet-2003 LLC
RU
malicious
2896
rundll32.exe
185.205.210.233:80
BelCloud Hosting Corporation
BG
malicious

DNS requests

Domain
IP
Reputation
stat-counter-7.bit
unknown

Threats

PID
Process
Class
Message
2896
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2896
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2896
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
2896
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
2896
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2896
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2896
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
2896
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
2896
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2896
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
No debug info