analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Client.rar

Full analysis: https://app.any.run/tasks/0b5401a8-bb48-40bc-9397-06e703d489c7
Verdict: Malicious activity
Analysis date: May 30, 2020, 18:06:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AA7C0E9AA3E362E147CD07C38C5F5943

SHA1:

040ADC519712817809F7B481B543967BDE3F76EC

SHA256:

1A28DF1C563378C48907DF518ED8394EE93C1B0261BEDB11E7581C05128D4218

SSDEEP:

384:lCi5FU9OqEXO3+eScxb5s+8namR6gBqvY0vDUkzG4xGFX:MwFU9V+GblSRivjvYkzG4xmX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Client.exe (PID: 2144)
      • Client.exe (PID: 2608)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • Client.exe (PID: 2144)
      • Client.exe (PID: 2608)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2904)
      • Client.exe (PID: 2144)
      • Client.exe (PID: 2608)
  • INFO

    • Manual execution by user

      • Client.exe (PID: 2144)
      • Client.exe (PID: 2608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe client.exe rundll32.exe no specs client.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2904"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Client.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2144"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2364"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\virusC:\Windows\system32\rundll32.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2608"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2864"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\virusC:\Windows\system32\rundll32.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 115
Read events
1 071
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2608Client.exeC:\Tools.exeexecutable
MD5:A90CB83FB4EDBF0161A9294B67BA76C2
SHA256:A5AF4A4858845386852F82DA23C695BBFE9342147AC5939A641E2300062A63C1
2608Client.exeC:\Users\admin\AppData\Local\Temp\virusexecutable
MD5:A90CB83FB4EDBF0161A9294B67BA76C2
SHA256:A5AF4A4858845386852F82DA23C695BBFE9342147AC5939A641E2300062A63C1
2904WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2904.36734\Client.exeexecutable
MD5:A90CB83FB4EDBF0161A9294B67BA76C2
SHA256:A5AF4A4858845386852F82DA23C695BBFE9342147AC5939A641E2300062A63C1
2144Client.exeC:\Users\admin\AppData\Local\Temp\virusexecutable
MD5:A90CB83FB4EDBF0161A9294B67BA76C2
SHA256:A5AF4A4858845386852F82DA23C695BBFE9342147AC5939A641E2300062A63C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info