File name: | Deluxe Viewbot.rar |
Full analysis: | https://app.any.run/tasks/6f92ec43-089d-449a-afa2-b9dca6610e60 |
Verdict: | Malicious activity |
Threats: | Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. |
Analysis date: | January 23, 2019, 01:11:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 37699B905519F2EDCC1D62A9025DD39F |
SHA1: | DDA44FC5F8B428D012AC73F50DDFC8DF99F69485 |
SHA256: | 323681FFD410D21D66D7E192CFB0D02348F9DE23F4D223237DACABCA742FF283 |
SSDEEP: | 24576:c1GZoqKnrFXSZ6S3dx67PmHo3i4aZ+56op:2+cnBiwS3dxIaZ+56K |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3072 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Deluxe Viewbot.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2856 | "C:\Users\admin\Desktop\Deluxe Viewbot.exe" | C:\Users\admin\Desktop\Deluxe Viewbot.exe | explorer.exe | |
User: admin Company: Deluxe VB Integrity Level: MEDIUM Description: Deluxe Viewbot Exit code: 0 Version: 1.0.0.0 | ||||
2552 | "C:\Users\admin\AppData\Local\Temp\File.exe" | C:\Users\admin\AppData\Local\Temp\File.exe | — | Deluxe Viewbot.exe |
User: admin Company: Deluxe VB Integrity Level: MEDIUM Description: Deluxe Viewbot Exit code: 0 Version: 1.0.0.0 | ||||
2132 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\license.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3284 | "cmd.exe" | C:\Windows\system32\cmd.exe | Deluxe Viewbot.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3968 | reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\Windows API\hostapi.exe.lnk" /f | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2464 | "C:\Users\admin\AppData\Local\Temp\svhost.exe" | C:\Users\admin\AppData\Local\Temp\svhost.exe | Deluxe Viewbot.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Version: 3.5.30729.4926 built by: NetFXw7 | ||||
3528 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xwdt_sru.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | — | svhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2808 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES4C0D.tmp" "c:\Users\admin\AppData\Local\Temp\CSC4BFC.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Deluxe Viewbot.rar | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2856) Deluxe Viewbot.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2856) Deluxe Viewbot.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3072.40311\Deluxe Viewbot.exe | — | |
MD5:— | SHA256:— | |||
3072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3072.40311\license.txt | — | |
MD5:— | SHA256:— | |||
3528 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC4BFC.tmp | — | |
MD5:— | SHA256:— | |||
2808 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES4C0D.tmp | — | |
MD5:— | SHA256:— | |||
3528 | csc.exe | C:\Users\admin\AppData\Local\Temp\xwdt_sru.dll | — | |
MD5:— | SHA256:— | |||
3528 | csc.exe | C:\Users\admin\AppData\Local\Temp\xwdt_sru.out | — | |
MD5:— | SHA256:— | |||
3284 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Windows | text | |
MD5:0E40EA13692676D80C524704BFCF9EA1 | SHA256:1171151FECE673B34DB18CD2BAA4DB135D2801FCBEDAEC818A11542A48699723 | |||
2856 | Deluxe Viewbot.exe | C:\Users\admin\AppData\Local\Temp\Windows API\hostapi.exe.jpg | executable | |
MD5:D16B9E3688F6A2B2A8B66718EAFA9CC1 | SHA256:858CF8F8A4678725485C427DCCB3EFC8673CFDB9605EF6F1DCEA144EE77A8638 | |||
2856 | Deluxe Viewbot.exe | C:\Users\admin\AppData\Local\Temp\Windows API\hostapi.exe.lnk | lnk | |
MD5:BF3B71E42750541034479A7F77805671 | SHA256:E4E86951DD5BEC0D27F8A23BE3C605D927F45962E21430CB9196140729CAF3EE | |||
3284 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Windows API\hostapi.exe | executable | |
MD5:D16B9E3688F6A2B2A8B66718EAFA9CC1 | SHA256:858CF8F8A4678725485C427DCCB3EFC8673CFDB9605EF6F1DCEA144EE77A8638 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2464 | svhost.exe | 152.44.44.237:10115 | distantcheats.pw | Gardner-Webb University | US | malicious |
Domain | IP | Reputation |
---|---|---|
distantcheats.pw |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |