File name:

GTA 6 Builder-Install.rar

Full analysis: https://app.any.run/tasks/3a5fb4eb-7ad3-4199-a799-ae45fb037c8b
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: December 22, 2023, 10:01:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
dcrat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

202D57EFC789177CFFC54FC99C0EC76B

SHA1:

5F6439B96A1A378E0D7A53CFA6EF3685BB6790E8

SHA256:

4359D215AE928EBB5B0EAA8CEBB8E51BACD7E6E9B634740225DF28B846A9352E

SSDEEP:

98304:30bzWVqVlbblV8YOuvHeikS33wy3l/ZCfJQLkh1IfjxRe1/sr1MauHqfM9wfhAxW:2bpehnU4BcPzSLynazPY0QTZUI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • ms_update.exe (PID: 480)

    • DCRAT has been detected (YARA)

      • ms_updater.exe (PID: 712)

  • SUSPICIOUS

    • Reads the Internet Settings

      • GTA 6 Builder-Install.exe (PID: 2024)
      • ms_updater.exe (PID: 712)

    • Reads settings of System Certificates

      • ms_updater.exe (PID: 712)

  • INFO

    • Checks supported languages

      • GTA 6 Builder-Install.exe (PID: 2024)
      • ms_update.exe (PID: 480)
      • ms_updater.exe (PID: 712)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 128)
      • GTA 6 Builder-Install.exe (PID: 2024)
      • ms_update.exe (PID: 480)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 128)

    • Manual execution by a user

      • GTA 6 Builder-Install.exe (PID: 2024)
      • explorer.exe (PID: 2384)

    • Creates files or folders in the user directory

      • GTA 6 Builder-Install.exe (PID: 2024)
      • ms_update.exe (PID: 480)

    • Reads the computer name

      • GTA 6 Builder-Install.exe (PID: 2024)
      • ms_update.exe (PID: 480)
      • ms_updater.exe (PID: 712)

    • Reads Environment values

      • ms_updater.exe (PID: 712)

    • Reads the machine GUID from the registry

      • ms_update.exe (PID: 480)
      • ms_updater.exe (PID: 712)

    • Reads product name

      • ms_updater.exe (PID: 712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(712) ms_updater.exe
C2 (1)https://pastebin.com/raw/LWvs8stk
Options
MutexDCR_MUTEX-jXkHv65ifMXN5oCQdgi1
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
ccfalse
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs gta 6 builder-install.exe no specs ms_update.exe ms_updater.exe no specs #DCRAT ms_updater.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GTA 6 Builder-Install.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
480"C:\Users\admin\AppData\Roaming\ms_update.exe" C:\Users\admin\AppData\Roaming\ms_update.exe
GTA 6 Builder-Install.exe
User:
admin
Company:
System32 1989-2023
Integrity Level:
MEDIUM
Description:
System32
Exit code:
0
Version:
15.6.13.6
Modules
Images
c:\users\admin\appdata\roaming\ms_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
712"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exe
GTA 6 Builder-Install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
DcRat
(PID) Process(712) ms_updater.exe
C2 (1)https://pastebin.com/raw/LWvs8stk
Options
MutexDCR_MUTEX-jXkHv65ifMXN5oCQdgi1
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
ccfalse
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
1040"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exeGTA 6 Builder-Install.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
2024"C:\Users\admin\Desktop\GTA 6 Builder-Install.exe" C:\Users\admin\Desktop\GTA 6 Builder-Install.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\gta 6 builder-install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2384"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
4 935
Read events
4 884
Write events
51
Delete events
0

Modification events

(PID) Process:(128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
7
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.31999\NlsData004a.dllexecutable
MD5:BE007B645B9D1332E3346107727320D9
SHA256:7B128BE8D77398CBC3BB789A34E21AFC984C2E87276907A01326F8FB4504E9DA
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.31999\NL7Data0404.dllexecutable
MD5:81B14FD1C9D2B830E55C93C4C38AFA2F
SHA256:878E2DBAC4B6A6BCCE54742F3C7BFD87AA93A6637CCCC1E5D18AB65215D81BEE
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.31999\GTA 6 Builder-Install.exeexecutable
MD5:56CBFC6271A60949F8818459A60BDFA6
SHA256:E860A9206EE832C3C59731D545B551E720318E0B7DD01EA1E4AA44348E5C2F9C
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.31999\README.txttext
MD5:229BFB07694F123E2CB4986F47100A62
SHA256:8DF26B1F550C80646F01D25B8AAFCABB1342BBB2BE1CD335CDB8D254BE8C4090
2024GTA 6 Builder-Install.exeC:\Users\admin\AppData\Roaming\ms_update.exeexecutable
MD5:8597488355F310BC0046FD9F3EB87C6B
SHA256:9FA04A8D42F65ABDD06306941A8E83078BB74F70C508FB8030586759A6D408E5
2024GTA 6 Builder-Install.exeC:\Users\admin\AppData\Roaming\ms_updater.exeexecutable
MD5:5CEE940B52DA0E967FECB1133B6304D0
SHA256:0CBC0042EA0C1F235C35CFC40A62D29A5D794535FA164DFB57F7B90334FFE767
480ms_update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exeexecutable
MD5:8597488355F310BC0046FD9F3EB87C6B
SHA256:9FA04A8D42F65ABDD06306941A8E83078BB74F70C508FB8030586759A6D408E5
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.31999\NL7Models0804.dllexecutable
MD5:65525C7B89204D241120B7638934A0D2
SHA256:18F7F52F14986133F9A9676D5AB959349377A53C0936CEA6EB9880E72F85BC54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
712
ms_updater.exe
GET
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?YSdnEeA1U=DvuS&17789cb3578c6680ba919ed580bcbc59=c33b5fda8c587ac7ab22b49b86ea1260&024ace78b46de9dec7d33cd74bf374d2=AM5gzYmdjMklTM3QGNjJjNkdzY1QjYjFTMjhzM5YTN4UGNxgTZ3ITZ&YSdnEeA1U=DvuS
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
712
ms_updater.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown
712
ms_updater.exe
172.67.129.42:80
714745cm.nyashland.top
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared
714745cm.nyashland.top
  • 172.67.129.42
  • 104.21.1.107
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GTA 6 Builder-Install.rar