analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DangerousRat2020-mai.zip

Full analysis: https://app.any.run/tasks/d24f4f4d-0f05-4fb0-afce-82d59b48140b
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:45:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

3D184557A63CAE542CAAE1DE6F726555

SHA1:

1DC6EAE90088F0AA79F44B3B7CC03519D997565E

SHA256:

3E55D1302C88B2C0CFA9FF09BC1A69681FA13B6949F45E3D56507E5F41F69E1D

SSDEEP:

196608:HbtBPRnfvon6IZYhydLLCdsflb8MKHTdasRjhp5:TZQ60LyS8MSasRjhp5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 948)
      • WerFault.exe (PID: 628)
      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 1972)
      • SearchProtocolHost.exe (PID: 368)
      • Explorer.EXE (PID: 1464)

    • Application was dropped or rewritten from another process

      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 948)
      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 1972)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3044)

  • SUSPICIOUS

    • Checks supported languages

      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 948)
      • WinRAR.exe (PID: 3044)
      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 1972)

    • Reads the computer name

      • WinRAR.exe (PID: 3044)
      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 948)
      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 1972)

    • Reads Environment values

      • WerFault.exe (PID: 628)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3044)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3044)

    • Uses RUNDLL32.EXE to load library

      • Explorer.EXE (PID: 1464)

  • INFO

    • Reads the computer name

      • SearchProtocolHost.exe (PID: 368)
      • WerFault.exe (PID: 628)

    • Checks supported languages

      • WerFault.exe (PID: 628)
      • SearchProtocolHost.exe (PID: 368)
      • rundll32.exe (PID: 3540)

    • Manual execution by user

      • Dangerous RAT 2020 Cracked by Unknown Venom.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: DangerousRat2020-main/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2021:02:18 05:00:16
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe dangerous rat 2020 cracked by unknown venom.exe werfault.exe searchprotocolhost.exe no specs dangerous rat 2020 cracked by unknown venom.exe explorer.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DangerousRat2020-mai.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
948"C:\Users\admin\AppData\Local\Temp\Rar$EXa3044.11230\DangerousRat2020-main\Dangerous RAT 2020 Cracked by Unknown Venom.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3044.11230\DangerousRat2020-main\Dangerous RAT 2020 Cracked by Unknown Venom.exe
WinRAR.exe
User:
admin
Company:
Dangerous RAT 2020
Integrity Level:
MEDIUM
Description:
Dangerous RAT 2020
Exit code:
3762504530
Version:
0.0.0.7
628C:\Windows\system32\WerFault.exe -u -p 948 -s 740C:\Windows\system32\WerFault.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
368"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1972"C:\Users\admin\Desktop\DangerousRat2020-main\Dangerous RAT 2020 Cracked by Unknown Venom.exe" C:\Users\admin\Desktop\DangerousRat2020-main\Dangerous RAT 2020 Cracked by Unknown Venom.exe
Explorer.EXE
User:
admin
Company:
Dangerous RAT 2020
Integrity Level:
MEDIUM
Description:
Dangerous RAT 2020
Exit code:
3762504530
Version:
0.0.0.7
1464C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3540"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\DangerousRat2020-main\README.mdC:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 710
Read events
5 580
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
628WerFault.exeC:\Users\admin\AppData\Local\Temp\WER1721.tmp.hdmp
MD5:
SHA256:
628WerFault.exeC:\Users\admin\AppData\Local\Temp\WER39BD.tmp.mdmp
MD5:
SHA256:
628WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_WNYA1SZB3K3EXIKB_12b3998ef089372124d1fb6431a1b89fddeb7_cab_02653ac4\WER1721.tmp.hdmp
MD5:
SHA256:
628WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_WNYA1SZB3K3EXIKB_12b3998ef089372124d1fb6431a1b89fddeb7_cab_02653ac4\WER39BD.tmp.mdmp
MD5:
SHA256:
628WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_WNYA1SZB3K3EXIKB_12b3998ef089372124d1fb6431a1b89fddeb7_cab_02653ac4\Report.wer
MD5:
SHA256:
628WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Dangerous RAT 2020 Cracked by Unknown Venom.exe.948.dmp
MD5:
SHA256:
628WerFault.exeC:\Users\admin\AppData\Local\Temp\WER1440.tmp.WERInternalMetadata.xmlxml
MD5:4237F4E2E507E2942BC4C42F324A80F8
SHA256:BD4484766FC542CD74DE98E19DBD08F230F67D6E88AAD5BBEEEFB58EFB006086
628WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_WNYA1SZB3K3EXIKB_12b3998ef089372124d1fb6431a1b89fddeb7_cab_02653ac4\WER1440.tmp.WERInternalMetadata.xmlxml
MD5:4237F4E2E507E2942BC4C42F324A80F8
SHA256:BD4484766FC542CD74DE98E19DBD08F230F67D6E88AAD5BBEEEFB58EFB006086
3044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3044.16300\DangerousRat2020-main\README.mdtext
MD5:50B8EF98BC1F9C3FF48B9019C3870D38
SHA256:446421DFF4B469831E47DC4BA9B91A99FC35C4F62CB1AAA5A01A3761732F843E
3044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3044.11230\DangerousRat2020-main\README.mdtext
MD5:50B8EF98BC1F9C3FF48B9019C3870D38
SHA256:446421DFF4B469831E47DC4BA9B91A99FC35C4F62CB1AAA5A01A3761732F843E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
628
WerFault.exe
20.189.173.22:443
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 20.189.173.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DangerousRat2020-mai.zip