File name:

Пакет документов для оплаты апрель.z

Full analysis: https://app.any.run/tasks/24e44d4a-0e7c-4be6-93c6-cc03b71e6bfa
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: September 11, 2019, 09:59:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
redaman
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B0A534D8DF50CE1A28954939F4114736

SHA1:

95F0849C328A06657E776EF89446CF6386E02690

SHA256:

451772D30AD63731C379D8EE2872543C2E0463EB13B1D1F9E3DE82EE5721D78E

SSDEEP:

6144:x1k1VohWwiPJXi3lHrUuZ7PUsNIoSP6ja42di:x1y+hePJSVLUuKgIDSZh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2904)
      • explorer.exe (PID: 276)
      • rundll32.exe (PID: 3488)
      • rundll32.exe (PID: 2156)

    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 2904)

    • Redaman was detected

      • rundll32.exe (PID: 3488)
      • rundll32.exe (PID: 2904)

    • Changes settings of System certificates

      • rundll32.exe (PID: 3488)

    • Application was dropped or rewritten from another process

      • Пакет документов для оплаты апрель.exe (PID: 3332)
      • Пакет документов для оплаты апрель.exe (PID: 3884)

    • Changes the autorun value in the registry

      • Пакет документов для оплаты апрель.exe (PID: 3332)
      • Пакет документов для оплаты апрель.exe (PID: 3884)

  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 276)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 276)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2484)
      • rundll32.exe (PID: 2904)
      • Пакет документов для оплаты апрель.exe (PID: 3884)

    • Uses RUNDLL32.EXE to load library

      • Пакет документов для оплаты апрель.exe (PID: 3884)
      • Пакет документов для оплаты апрель.exe (PID: 3332)

    • Executed via Task Scheduler

      • rundll32.exe (PID: 3488)

    • Connects to server without host name

      • rundll32.exe (PID: 3488)

    • Adds / modifies Windows certificates

      • rundll32.exe (PID: 3488)

    • Executed via COM

      • DllHost.exe (PID: 3280)

    • Creates files in the program directory

      • rundll32.exe (PID: 2904)

  • INFO

    • Reads the hosts file

      • rundll32.exe (PID: 3488)

    • Manual execution by user

      • WinRAR.exe (PID: 2484)
      • Пакет документов для оплаты апрель.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe пакет документов для оплаты апрель.exe #REDAMAN rundll32.exe #REDAMAN rundll32.exe explorer.exe no specs explorer.exe no specs пакет документов для оплаты апрель.exe rundll32.exe no specs Shell Security Editor no specs

Process information

PID
CMD
Path
Indicators
Parent process
276C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2156rundll32.exe load.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exeПакет документов для оплаты апрель.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2484"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Пакет документов для оплаты апрель.z.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2904rundll32.exe load.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exe
Пакет документов для оплаты апрель.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3108"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Пакет документов для оплаты апрель.z.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3280C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3332"C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe" C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe
explorer.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
HIGH
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
Modules
Images
c:\users\admin\desktop\пакет документов для оплаты апрель.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3488rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
3712"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3884"C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe" C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe
explorer.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
HIGH
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
Modules
Images
c:\users\admin\desktop\пакет документов для оплаты апрель.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 848
Read events
3 235
Write events
610
Delete events
3

Modification events

(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000045F907FE9B3AFF49B54F5B2E9331906F000000000200000000001066000000010000200000006788387C730B73F8E2FF3522F10A7B42A613EB77C06BD4EA9F133FC175BB0CF0000000000E8000000002000020000000D8C943BF81E096AF822715F3FB3794AF88070A6605CE01174B1F5252BDB9592B300000006E5D2EFFDC34E54EF7D10D7F22E1B865C69816B207EF9CF57D4A91256D51CAD52D26BA6AF36F15C2B9AB05B5EF5DCB444000000085341C6E77AF0D4EC6EA06B24428DE25293F99A2C7C363CD263D26EEB7C5FE95899E7E7EC9B9965EB22EDDFB7AF90F80D45BBF6CC318E0B4707E6F4AD777B28C
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3108) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(276) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Пакет документов для оплаты апрель.z.rar
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3108) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
3332Пакет документов для оплаты апрель.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\load.dll
MD5:
SHA256:
276explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:
SHA256:
3884Пакет документов для оплаты апрель.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\load.dllexecutable
MD5:
SHA256:
276explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:
SHA256:
276explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019091120190912\index.datdat
MD5:
SHA256:
2904rundll32.exeC:\ProgramData\2401bf603c90\2702bc633f93.datexecutable
MD5:
SHA256:
276explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Пакет документов для оплаты апрель.z.rar.lnklnk
MD5:
SHA256:
2484WinRAR.exeC:\Users\admin\Desktop\Пакет документов для оплаты апрель.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
4
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3488
rundll32.exe
POST
185.203.116.89:80
http://185.203.116.89/index.php
BG
malicious
3488
rundll32.exe
POST
185.203.116.89:80
http://185.203.116.89/index.php
BG
malicious
3488
rundll32.exe
POST
185.205.210.233:80
http://185.205.210.233/index.php
BG
malicious
3488
rundll32.exe
POST
185.205.210.233:80
http://185.205.210.233/index.php
BG
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3488
rundll32.exe
188.165.200.156:53
OVH SAS
FR
malicious
3488
rundll32.exe
162.243.211.124:443
namecoin.cyphrs.com
Digital Ocean, Inc.
US
unknown
3488
rundll32.exe
185.205.210.233:80
BelCloud Hosting Corporation
BG
malicious
3488
rundll32.exe
217.12.210.54:53
ITL Company
UA
malicious
188.165.200.156:53
OVH SAS
FR
malicious
3488
rundll32.exe
185.203.116.89:80
BelCloud Hosting Corporation
BG
malicious
3488
rundll32.exe
91.217.137.37:53
Meganet-2003 LLC
RU
malicious

DNS requests

Domain
IP
Reputation
namecoin.cyphrs.com
  • 162.243.211.124
unknown
stat-counter-7.bit
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
1060
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3488
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
3488
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3488
rundll32.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Пакет документов для оплаты апрель.z