analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

main.zip

Full analysis: https://app.any.run/tasks/b6c4b445-327c-486e-87b1-fe1a0fb89e9a
Verdict: Malicious activity
Analysis date: August 12, 2022, 15:46:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

18D7D5EF60FF6D90286AD60F494A000C

SHA1:

6F8FB4B3139C2AEF1AB497E512D9B16110E33CEA

SHA256:

299928D81CD75BD68BFD000DCCBABB4CEDCEE35DB37BB2C246B3F10C026D8343

SSDEEP:

1572864:NaARQFbe0WOnIjq8avuZ75hhxqH0pW8aL/A48nh4FCO++zf7ObGIbhLc++Xvy2i7:NaAO5WOIjq8aq75hhx/KmWFK4fC6eKPk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • EUQJFM.exe (PID: 1088)
      • Aut2exe2.exe (PID: 1796)
    • Loads dropped or rewritten executable

      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
    • Application was dropped or rewritten from another process

      • flagx.exe (PID: 3108)
      • Aut2exe2.exe (PID: 1796)
      • EUQJFM.exe (PID: 1088)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 464)
      • WinRAR.exe (PID: 1472)
      • WinRAR.exe (PID: 3956)
      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • Aut2exe2.exe (PID: 1796)
      • flagx.exe (PID: 3108)
      • EUQJFM.exe (PID: 1088)
    • Checks supported languages

      • WinRAR.exe (PID: 1472)
      • WinRAR.exe (PID: 464)
      • WinRAR.exe (PID: 3956)
      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • flagx.exe (PID: 3108)
      • Aut2exe2.exe (PID: 1796)
      • EUQJFM.exe (PID: 1088)
    • Application launched itself

      • WinRAR.exe (PID: 1472)
    • Reads mouse settings

      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • EUQJFM.exe (PID: 1088)
    • Executable content was dropped or overwritten

      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • Aut2exe2.exe (PID: 1796)
      • EUQJFM.exe (PID: 1088)
    • Drops a file with a compile date too recent

      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • EUQJFM.exe (PID: 1088)
      • Aut2exe2.exe (PID: 1796)
    • Checks for external IP

      • 887Rat.exe (PID: 2820)
  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 3956)
      • 887Rat.exe (PID: 2820)
      • 887Rat.exe (PID: 3692)
      • EUQJFM.exe (PID: 1088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 887Rat-main/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2022:04:08 19:51:08
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs winrar.exe no specs winrar.exe no specs 887rat.exe 887rat.exe flagx.exe no specs aut2exe2.exe euqjfm.exe

Process information

PID
CMD
Path
Indicators
Parent process
1472"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\main.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
464"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa1472.42437\887Rat.7z.001C:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3956"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\887Rat.7z.001" C:\Users\admin\Desktop\887Rat.7z\C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2820"C:\Users\admin\Desktop\887Rat.7z\887Rat.exe" C:\Users\admin\Desktop\887Rat.7z\887Rat.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
3692"C:\Users\admin\Desktop\887Rat.7z\887Rat.exe" C:\Users\admin\Desktop\887Rat.7z\887Rat.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
3108"C:\Users\admin\AppData\Local\Temp\flagx.exe" C:\Users\admin\AppData\Local\Temp\flagx.exe887Rat.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1796C:\Users\admin\AppData\Local\Temp\Aut2exe2.exe /in C:\Users\admin\AppData\Local\Temp/QNDQUF /out C:\Users\admin\AppData\Local\Temp/EUQJFM.exe /icon C:\Users\admin\AppData\Local\Temp\ssc.ico /comp 2 /nopack /UnicodeC:\Users\admin\AppData\Local\Temp\Aut2exe2.exe
887Rat.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
Aut2Exe
Exit code:
0
Version:
3, 3, 10, 2
1088"C:\Users\admin\Desktop\887Rat.7z\EUQJFM.exe" C:\Users\admin\Desktop\887Rat.7z\EUQJFM.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
5 178
Read events
5 065
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
166
Text files
411
Unknown types
9

Dropped files

PID
Process
Filename
Type
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1472.42437\887Rat.7z.001
MD5:
SHA256:
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1472.43255\887Rat-main\887Rat.7z.001
MD5:
SHA256:
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1472.43255\887Rat-main\887Rat.7z.002
MD5:
SHA256:
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1472.43255\887Rat-main\887Rat.7z.003
MD5:
SHA256:
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1472.43255\887Rat-main\887Rat.7z.004
MD5:
SHA256:
3956WinRAR.exeC:\Users\admin\Desktop\887Rat.7z\887Rat.exe
MD5:
SHA256:
2820887Rat.exeC:\Users\admin\AppData\Local\Temp\aut544D.tmp
MD5:
SHA256:
2820887Rat.exeC:\Users\admin\AppData\Local\Temp\xhhqibw
MD5:
SHA256:
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1472.43255\887Rat-main\887Rat.7z.005binary
MD5:EA4E9A64BBFFD2F5F60677C914CADCBF
SHA256:04CC4EADF8AF372A6BD7951671E322633CE85872BEEF81E2C4FFF8D8490BA044
1472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1472.43255\887Rat-main\README.mdtext
MD5:C5D2A3E2403481A49121C0716993FFEB
SHA256:07B56D8CE86C1570B0CBD68B644E86D738018F9EA6838813BF05EE3EEDFF653F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2820
887Rat.exe
GET
200
52.18.62.61:80
http://checkip.amazonaws.com/
IE
text
13 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
887Rat.exe
212.30.37.28:4000
LB
unknown
2820
887Rat.exe
52.18.62.61:80
checkip.amazonaws.com
Amazon.com, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 52.18.62.61
  • 54.216.11.251
  • 52.211.53.135
  • 63.32.63.32
  • 34.243.7.17
  • 34.247.130.211
  • 54.155.28.32
  • 18.203.24.179
shared

Threats

PID
Process
Class
Message
2820
887Rat.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
1 ETPRO signatures available at the full report
No debug info