File name:

Catlavan.rar

Full analysis: https://app.any.run/tasks/2382cd14-7d5a-4d11-a57f-48d2fbaa86d3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 15, 2025, 18:29:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

064C76CCA8214484451BA0FF2FF82950

SHA1:

A3360F237E8D7976C3CA40D8553F8FFDD42BE1E5

SHA256:

556660CB16D05F05EA54DFB2F288A105B5EA25E98A1F897DF80BB9F0191DF87D

SSDEEP:

3072:0IdHHycTF0rDGshD+CZwgWhcFUYfFYIPhg0kOc5tc:0ItHyI4hD/ZwgWhcFUYfpm0s5m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Actions looks like stealing of personal data

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

  • SUSPICIOUS

    • Loads DLL from Mozilla Firefox

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

  • INFO

    • Checks proxy server information

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads the software policy settings

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Create files in a temporary directory

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Disables trace logs

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3848)

    • Manual execution by a user

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads the computer name

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Checks supported languages

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Creates files in the program directory

      • Catlavan.exe (PID: 1868)

    • Reads the machine GUID from the registry

      • Catlavan.exe (PID: 5464)
      • Catlavan.exe (PID: 1868)

    • Reads Environment values

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Reads CPU info

      • Catlavan.exe (PID: 1868)
      • Catlavan.exe (PID: 5464)

    • Creates files or folders in the user directory

      • Catlavan.exe (PID: 5464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 103936
UncompressedSize: 281088
OperatingSystem: Win32
ArchivedFileName: Catlavan.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe catlavan.exe svchost.exe catlavan.exe

Process information

PID
CMD
Path
Indicators
Parent process
1868"C:\Users\admin\Desktop\Catlavan.exe" C:\Users\admin\Desktop\Catlavan.exe
explorer.exe
User:
admin
Company:
44 CALIBER
Integrity Level:
MEDIUM
Description:
44 CALIBER
Exit code:
0
Version:
1.6.2.0
Modules
Images
c:\users\admin\desktop\catlavan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3848"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Catlavan.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5464"C:\Users\admin\Desktop\Catlavan.exe" C:\Users\admin\Desktop\Catlavan.exe
explorer.exe
User:
admin
Company:
44 CALIBER
Integrity Level:
MEDIUM
Description:
44 CALIBER
Exit code:
0
Version:
1.6.2.0
Modules
Images
c:\users\admin\desktop\catlavan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
5 815
Read events
5 782
Write events
33
Delete events
0

Modification events

(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Catlavan.rar
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
1
Suspicious files
22
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp906C.tmp.tmpdb
MD5:
SHA256:
5464Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmpD6EB.tmp.tmpdb
MD5:
SHA256:
1868Catlavan.exeC:\Users\Public\9kie7cg6.default-release\cert9.dbbinary
MD5:C52CD961FB8188CE1B3D97815AA02978
SHA256:FE95CAC7B0F158D55188CE091428A8623DB31C927EDA38DC35411D4CB67EA71E
1868Catlavan.exeC:\Users\Public\9kie7cg6.default-release\logins.jsonbinary
MD5:DC9ADB7DE19A6753CE90AE94738BFDEF
SHA256:884B04032E2E70A002956218E8EC3491F2B753C4596CEE6E4894DC49AFA0A681
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3848.47212\Catlavan.exeexecutable
MD5:9B7EBF8B6F2F4BE6881AC92AF416013D
SHA256:72CA70479CE8E4A7EC7C24E412791E8EF09C1BE91D92333FEC9C6C0B395E4066
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp91C9.tmp.datbinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
1868Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmp91F9.tmp.datbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
1868Catlavan.exeC:\ProgramData\44\Information.txttext
MD5:3B7488C0E5A93616CDC70B0F9D9FA7DF
SHA256:88279344320D2F326A2323B3BA84D300EF26462C134A71CBDC398DE8CFACFCA8
5464Catlavan.exeC:\Users\admin\AppData\Local\Temp\tmpD75B.tmp.datbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
1868Catlavan.exeC:\ProgramData\44\Screen.pngbinary
MD5:527724B025A6E674CFF34988597C8BD6
SHA256:EE1E8B199C46470F23D5DFA6EFCAE421F5DEE739FF632965C6D1CCFC5A331B11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
37
DNS requests
21
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1920
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1920
svchost.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1904
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1904
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2324
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6060
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1920
svchost.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1920
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1920
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.167
  • 23.48.23.147
  • 23.48.23.177
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.176
  • 23.48.23.193
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.186
  • 104.126.37.170
  • 104.126.37.123
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.176
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 23.54.109.203
  • 2.23.77.188
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.76
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.132
  • 40.126.32.68
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
freegeoip.app
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.112.1
whitelisted
ipbase.com
  • 172.67.209.71
  • 104.21.85.189
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Checker Domain (freegeoip .app)
1868
Catlavan.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app)
2192
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
1868
Catlavan.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
5464
Catlavan.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
5464
Catlavan.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Catlavan.rar