analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Документы на проверку.7z

Full analysis: https://app.any.run/tasks/d7178c5e-7a8c-4f9b-ad4d-17bfee6a61d0
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: March 14, 2019, 12:07:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
redaman
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

89BC0CBF3A3A031A038928C14CCFABDB

SHA1:

7332E78EC8F19FBC7656963D4006E983848D1626

SHA256:

3946BF9A49E5FCCD0B1A8D1D7B63BACBA963456F20A60538F5700486CB7A7722

SSDEEP:

6144:vO7nXfqHiQ95Nyc2Pm5fX2vAgKCmJSenVyu6J3jHa8QEnhcttAZKNzc52XgzIz:vO7XfqBN1NmogKCmQEVf6J3e8QEnhtZW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2792)
      • Документы на проверку.exe (PID: 2848)
      • explorer.exe (PID: 116)
      • WinRAR.exe (PID: 2836)
      • Документы на проверку.exe (PID: 3816)
      • Документы на проверку.exe (PID: 3452)
    • Application was dropped or rewritten from another process

      • Документы на проверку.exe (PID: 2848)
      • Документы на проверку.exe (PID: 3816)
      • Документы на проверку.exe (PID: 3452)
    • REDAMAN was detected

      • rundll32.exe (PID: 2792)
    • Loads the Task Scheduler COM API

      • Документы на проверку.exe (PID: 2848)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2836)
      • Документы на проверку.exe (PID: 2848)
      • explorer.exe (PID: 116)
      • Документы на проверку.exe (PID: 3452)
      • Документы на проверку.exe (PID: 3816)
    • Creates files in the program directory

      • Документы на проверку.exe (PID: 2848)
    • Connects to unusual port

      • rundll32.exe (PID: 2792)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe документы на проверку.exe #REDAMAN rundll32.exe explorer.exe документы на проверку.exe документы на проверку.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Документы на проверку.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2848"C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.30493\Документы на проверку.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.30493\Документы на проверку.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2792rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3452"C:\Users\admin\Desktop\Документы на проверку.exe" C:\Users\admin\Desktop\Документы на проверку.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3816"C:\Users\admin\Desktop\Документы на проверку.exe" C:\Users\admin\Desktop\Документы на проверку.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
1 442
Read events
1 399
Write events
43
Delete events
0

Modification events

(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2836) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Документы на проверку.7z
(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2836) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
7
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2792rundll32.exeC:\Users\admin\AppData\Local\Temp\ACC1.tmp
MD5:
SHA256:
2792rundll32.exeC:\Users\admin\AppData\Local\Temp\obcagjgejffnodbp
MD5:
SHA256:
2792rundll32.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2836.30493\Документы на проверку.exe
MD5:
SHA256:
2792rundll32.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2836.30493\icgaddlafmgciipg
MD5:
SHA256:
2848Документы на проверку.exeC:\ProgramData\2401bf603c90\2702bc633f93.datexecutable
MD5:130211E2A10D160527E97CB28DC9534C
SHA256:FCFF7AB2695994B6863E4882B0B4BEFEF52208996DD58C519FDE7EA5F7C118E8
3816Документы на проверку.exeC:\Users\admin\AppData\Local\Temp\87C5.tmpexecutable
MD5:130211E2A10D160527E97CB28DC9534C
SHA256:FCFF7AB2695994B6863E4882B0B4BEFEF52208996DD58C519FDE7EA5F7C118E8
2848Документы на проверку.exeC:\Users\admin\AppData\Local\Temp\ACC1.tmpexecutable
MD5:130211E2A10D160527E97CB28DC9534C
SHA256:FCFF7AB2695994B6863E4882B0B4BEFEF52208996DD58C519FDE7EA5F7C118E8
3452Документы на проверку.exeC:\Users\admin\AppData\Local\Temp\6156.tmpexecutable
MD5:130211E2A10D160527E97CB28DC9534C
SHA256:FCFF7AB2695994B6863E4882B0B4BEFEF52208996DD58C519FDE7EA5F7C118E8
2836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2836.30493\Документы на проверку.exeexecutable
MD5:F2D451D457B1B438BF08FC8CD2B702AD
SHA256:EAAF65B45C49AB5B0FBE07E33499A5A79F7E7E96C2CCF12B4E5B19F07D054B34
2836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2836.31705\Документы на проверку.exeexecutable
MD5:F2D451D457B1B438BF08FC8CD2B702AD
SHA256:EAAF65B45C49AB5B0FBE07E33499A5A79F7E7E96C2CCF12B4E5B19F07D054B34
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
53
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
rundll32.exe
GET
200
178.62.9.171:80
http://myip.ru/index_small.php
GB
html
321 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2792
rundll32.exe
172.105.198.191:9100
US
suspicious
2792
rundll32.exe
173.230.137.91:9001
Linode, LLC
US
suspicious
2792
rundll32.exe
185.100.85.175:443
Flokinet Ltd
RO
suspicious
2792
rundll32.exe
178.62.9.171:80
myip.ru
Digital Ocean, Inc.
GB
malicious
2792
rundll32.exe
91.213.233.138:443
Optima Telecom Ltd.
KG
malicious
2792
rundll32.exe
77.203.13.57:9001
SFR
FR
suspicious
2792
rundll32.exe
86.148.54.29:9001
British Telecommunications PLC
GB
unknown
2792
rundll32.exe
37.122.208.220:9001
Host Europe GmbH
GB
suspicious
2792
rundll32.exe
35.168.202.103:443
Amazon.com, Inc.
US
suspicious
2792
rundll32.exe
116.202.28.73:80
334,Udyog Vihar
IN
suspicious

DNS requests

Domain
IP
Reputation
myip.ru
  • 178.62.9.171
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2792
rundll32.exe
Potential Corporate Privacy Violation
ET POLICY myip.ru IP lookup
2792
rundll32.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Win32/Spy.RTM/Redaman IP Check
2792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman) IP Check
2792
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 441
2792
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184
2792
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184
2792
rundll32.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2792
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 443
2792
rundll32.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2792
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 685
No debug info