File name:

Xtreme RAT v2.9.zip

Full analysis: https://app.any.run/tasks/a3bcb030-37a7-4285-95c3-d05e4f8dc102
Verdict: Malicious activity
Analysis date: June 27, 2023, 17:44:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7FA5B638F601EA352476A602FCD4F86C

SHA1:

E88850E675AEF74FD8CA8DEA774F28534C02F773

SHA256:

56E7E3847666DCFA2DAFF802C9CB42D99E9A7763717C4AE03176042F53C0C58D

SSDEEP:

196608:d8uiHhv0MOwJkJcGj3owaHA4hfRwn+86TK+iry1pcmgg20:d8uiH+MOwqmGjYwaHhhO+8ipN20

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Cliente.exe (PID: 3880)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3140)

    • Manual execution by a user

      • Cliente.exe (PID: 3880)

    • Reads the computer name

      • Cliente.exe (PID: 3880)

    • Checks supported languages

      • Cliente.exe (PID: 3880)

    • Create files in a temporary directory

      • Cliente.exe (PID: 3880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Cliente.exe
ZipUncompressedSize: 3565056
ZipCompressedSize: 3455461
ZipCRC: 0x13e87792
ZipModifyDate: 2011:06:18 23:12:34
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cliente.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Xtreme RAT v2.9.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3880"C:\Users\admin\Desktop\Cliente.exe" C:\Users\admin\Desktop\Cliente.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\cliente.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
1 086
Read events
1 078
Write events
8
Delete events
0

Modification events

(PID) Process:(3140) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
98
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.dprojtext
MD5:6921FFD09549C2001C19F6D680F579D9
SHA256:36B30DA60EEDE5CCFB3FF825E437B06343904DF8E2215318263E63BA559AB160
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.dproj.localxml
MD5:69403FE92D5F88C3B093896760DCE9D0
SHA256:7377CB147580C54AD07A17FE669142013E55B427FBC041C88A74CBBB0BFFA6C4
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.identcachebinary
MD5:E0FD5A6654CE23833210A93D75242E8B
SHA256:284F6084F7252CE803110B24BFADBD0F9DDBE67D401DD21F800D47216BB05E9C
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.upxexecutable
MD5:0FE9CB3C5543066446BF35256BE6D075
SHA256:63EC784F9F661C40055543C80BCC1A8A296C071BA6126CCDDAAAC882D4EEC594
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\Cliente.exeexecutable
MD5:380AE02D821B7D153A88F55FA4AB26E3
SHA256:7504769222FA995FA25A30F6C39332B9CB07DE5BA6A394ABB30E1174657065B5
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\skins\2010Black_Ext.sknbinary
MD5:E2698F6740C3769F5A005BBFA3A69EDC
SHA256:BC58A9F627E71B01D96A426B5B48F1BCA54487422F706769677B81EDAC0A6933
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\skins\2010Silver_Aero.sknbinary
MD5:6586B0BC38BE5A97385B0984615047DD
SHA256:4F242125BAB3808379934B1B23396147D0439A182258C5F3AD9184DB745E6DF3
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\skins\2010Blue_Aero.sknbinary
MD5:50903ED4D83B95B36B2007BB5F2C8C5F
SHA256:C77E0F222DBB43484D19F26CED16E293CDB1CDDEAACAB29DDC1DC81ECE75CFC6
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\Language\Português.initext
MD5:DD34F698B35187B22D8CE63099ACA0F2
SHA256:718D9C60C0074219C4549722F9588638B9DC1500CFD4340E56254CF242D2196A
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\skins\2010Black_Aero.sknbinary
MD5:98626B9138F8112F6D1171055BC36752
SHA256:14F40C72244119C2163892A536E3A054A69023F08E530136F3C1460891C11129
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xtreme RAT v2.9.zip