File name:

Xtreme RAT v2.9.zip

Full analysis: https://app.any.run/tasks/a3bcb030-37a7-4285-95c3-d05e4f8dc102
Verdict: Malicious activity
Analysis date: June 27, 2023, 17:44:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7FA5B638F601EA352476A602FCD4F86C

SHA1:

E88850E675AEF74FD8CA8DEA774F28534C02F773

SHA256:

56E7E3847666DCFA2DAFF802C9CB42D99E9A7763717C4AE03176042F53C0C58D

SSDEEP:

196608:d8uiHhv0MOwJkJcGj3owaHA4hfRwn+86TK+iry1pcmgg20:d8uiH+MOwqmGjYwaHhhO+8ipN20

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Cliente.exe (PID: 3880)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Create files in a temporary directory

      • Cliente.exe (PID: 3880)

    • Manual execution by a user

      • Cliente.exe (PID: 3880)

    • Reads the computer name

      • Cliente.exe (PID: 3880)

    • Checks supported languages

      • Cliente.exe (PID: 3880)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Cliente.exe
ZipUncompressedSize: 3565056
ZipCompressedSize: 3455461
ZipCRC: 0x13e87792
ZipModifyDate: 2011:06:18 23:12:34
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cliente.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Xtreme RAT v2.9.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3880"C:\Users\admin\Desktop\Cliente.exe" C:\Users\admin\Desktop\Cliente.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\cliente.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
1 086
Read events
1 078
Write events
8
Delete events
0

Modification events

(PID) Process:(3140) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
98
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.upxexecutable
MD5:0FE9CB3C5543066446BF35256BE6D075
SHA256:63EC784F9F661C40055543C80BCC1A8A296C071BA6126CCDDAAAC882D4EEC594
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.identcachebinary
MD5:E0FD5A6654CE23833210A93D75242E8B
SHA256:284F6084F7252CE803110B24BFADBD0F9DDBE67D401DD21F800D47216BB05E9C
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\UnitPopup.pastext
MD5:22CB131C3D5FFFE095F50A2D923D6E28
SHA256:A90EF64886BD6C485BC7AD5F7309DCC0B899BA3B09076F8DA764B7AD415FB8FF
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\UnitPopup.dfmtext
MD5:6ED025AAC8552570A542E9320480BD8D
SHA256:0F3FC4E8A162E9688BF73830AB6FC5FC06889AC676B6F44F1744C61A98DB67D0
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\DllNotify.dprtext
MD5:7D03A752A969B1C0517D996E4C53E6C5
SHA256:F6B33F3DC38416E3F0B1F092373B2F2184A4AC22153AE2E752BA4F6A2D85C415
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\skins\2010Blue_Ext.sknbinary
MD5:B0224B4347F6A385C8404A802C2A4662
SHA256:8DB5AF8E5EEDB6AD4F0CF71232FFE13D37CA1186B7EF32E92A3C70FCD3E2B76B
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\Language\Español.initext
MD5:3AEF78D9431697C12DDF628B50B63C2D
SHA256:26555F8DC67B306545EA1EE150D3103422725F22F22AA5CEBCD98DC12ABBB290
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\Language\Português.initext
MD5:DD34F698B35187B22D8CE63099ACA0F2
SHA256:718D9C60C0074219C4549722F9588638B9DC1500CFD4340E56254CF242D2196A
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\skins\2010Black_Aero.sknbinary
MD5:98626B9138F8112F6D1171055BC36752
SHA256:14F40C72244119C2163892A536E3A054A69023F08E530136F3C1460891C11129
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.37151\DllNotify\__history\UnitPopup.dfm.~1~text
MD5:0D8CC9BA6BAF871E0949EC08BC95F804
SHA256:94099206598EC9DF7A0F7EC1E1B46680D0963000EDB75CBEBD8E52D48F9037B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xtreme RAT v2.9.zip