File name:

Catlavan.rar

Full analysis: https://app.any.run/tasks/2382cd14-7d5a-4d11-a57f-48d2fbaa86d3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 15, 2025, 18:29:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

064C76CCA8214484451BA0FF2FF82950

SHA1:

A3360F237E8D7976C3CA40D8553F8FFDD42BE1E5

SHA256:

556660CB16D05F05EA54DFB2F288A105B5EA25E98A1F897DF80BB9F0191DF87D

SSDEEP:

3072:0IdHHycTF0rDGshD+CZwgWhcFUYfFYIPhg0kOc5tc:0ItHyI4hD/ZwgWhcFUYfpm0s5m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Actions looks like stealing of personal data

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

  • SUSPICIOUS

    • Loads DLL from Mozilla Firefox

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

  • INFO

    • Checks supported languages

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Manual execution by a user

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Disables trace logs

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3848)

    • Reads the computer name

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads the machine GUID from the registry

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Create files in a temporary directory

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads Environment values

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads the software policy settings

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads CPU info

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Checks proxy server information

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Creates files in the program directory

      • Catlavan.exe (PID: 1868)

    • Creates files or folders in the user directory

      • Catlavan.exe (PID: 5464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 103936
UncompressedSize: 281088
OperatingSystem: Win32
ArchivedFileName: Catlavan.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe catlavan.exe svchost.exe catlavan.exe

Process information

PID
CMD
Path
Indicators
Parent process
1868"C:\Users\admin\Desktop\Catlavan.exe" C:\Users\admin\Desktop\Catlavan.exe
explorer.exe
User:
admin
Company:
44 CALIBER
Integrity Level:
MEDIUM
Description:
44 CALIBER
Exit code:
0
Version:
1.6.2.0
Modules
Images
c:\users\admin\desktop\catlavan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3848"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Catlavan.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5464"C:\Users\admin\Desktop\Catlavan.exe" C:\Users\admin\Desktop\Catlavan.exe
explorer.exe
User:
admin
Company:
44 CALIBER
Integrity Level:
MEDIUM
Description:
44 CALIBER
Exit code:
0
Version:
1.6.2.0
Modules
Images
c:\users\admin\desktop\catlavan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
5 815
Read events
5 782
Write events
33
Delete events
0

Modification events

(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Catlavan.rar
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
1
Suspicious files
22
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp906C.tmp.tmpdb
MD5:
SHA256:
5464Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmpD6EB.tmp.tmpdb
MD5:
SHA256:
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3848.47212\Catlavan.exeexecutable
MD5:9B7EBF8B6F2F4BE6881AC92AF416013D
SHA256:72CA70479CE8E4A7EC7C24E412791E8EF09C1BE91D92333FEC9C6C0B395E4066
1868Catlavan.exeC:\Users\Public\9kie7cg6.default-release\logins.jsonbinary
MD5:DC9ADB7DE19A6753CE90AE94738BFDEF
SHA256:884B04032E2E70A002956218E8EC3491F2B753C4596CEE6E4894DC49AFA0A681
1868Catlavan.exeC:\ProgramData\44\Screen.pngbinary
MD5:527724B025A6E674CFF34988597C8BD6
SHA256:EE1E8B199C46470F23D5DFA6EFCAE421F5DEE739FF632965C6D1CCFC5A331B11
1868Catlavan.exeC:\ProgramData\44\Browsers\Firefox\Bookmarks.txttext
MD5:6A1CC414B0FE4F9B06852689163B0F2D
SHA256:D3ACD72F585872F36D7329FAF6146DC2D71C3CBCBD58D94E36DA285738ADAA68
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp91F9.tmp.datbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp9199.tmp.datbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp9169.tmp.tmpdbbinary
MD5:19BA68C3ECBCA72C2B90AFADDE745DC6
SHA256:8B3758EE2D2C0A07EE7003F902F0667ABE5D9667941F8617EDA3CDF94C78E7B8
1868Catlavan.exeC:\Users\Public\9kie7cg6.default-release\key4.dbbinary
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
37
DNS requests
21
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1920
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1920
svchost.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1904
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2324
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1904
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6060
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1920
svchost.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1920
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1920
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.167
  • 23.48.23.147
  • 23.48.23.177
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.176
  • 23.48.23.193
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.186
  • 104.126.37.170
  • 104.126.37.123
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.176
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 23.54.109.203
  • 2.23.77.188
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.76
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.132
  • 40.126.32.68
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
freegeoip.app
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.112.1
whitelisted
ipbase.com
  • 172.67.209.71
  • 104.21.85.189
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Checker Domain (freegeoip .app)
1868
Catlavan.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app)
2192
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
1868
Catlavan.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
5464
Catlavan.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
5464
Catlavan.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Catlavan.rar