File name: | C:\Users\Public\Pictures\eavzrp\eavzrp.exe |
Full analysis: | https://app.any.run/tasks/3aee4ccc-eca0-47ad-9fb4-168acb8dacd7 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | December 06, 2022, 04:25:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
MD5: | 9E8E1AF186A1BA7DD0CD2CA87EC1732F |
SHA1: | CC52472EF1E0986EC5569954E037AF4B51DC5523 |
SHA256: | 673EE587B01FAEF7EFAC76E036B307AA6FBE178CF5B25DDF42A0CEBAEFF13C79 |
SSDEEP: | 12288:1g76eInfFn0sZe/+0t5btfUlWAK/saAXTSHJSE7D/nUkPhpi5oP:1w6Jn0b/VVw+JSE7D/nUkPhpl |
.exe | | | Win32 EXE PECompact compressed (v2.x) (51) |
---|---|---|
.exe | | | Win32 EXE PECompact compressed (generic) (35.9) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-05 07:22:18 |
Detected languages: |
|
Comments: | 360压缩 |
CompanyName: | 360.cn |
FileDescription: | 360压缩 |
FileVersion: | 4, 0, 0, 1380 |
InternalName: | 360zip |
LegalCopyright: | (C) 360.cn Inc. All Rights Reserved. |
OriginalFilename: | 360zip.exe |
ProductName: | 360压缩 |
ProductVersion: | 4, 0, 0, 1380 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 2 |
TimeDateStamp: | 2022-Dec-05 07:22:18 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 1421312 | 659968 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99968 |
.rsrc | 1425408 | 49152 | 48128 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.26466 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 0 | 23822 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
2 | 0 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 7.96721 | 23822 | UNKNOWN | Chinese - PRC | RT_ICON |
4 | 5.48258 | 9640 | UNKNOWN | Chinese - PRC | RT_ICON |
5 | 5.39354 | 4264 | UNKNOWN | Chinese - PRC | RT_ICON |
6 | 5.46319 | 2440 | UNKNOWN | Chinese - PRC | RT_ICON |
7 | 4.65056 | 1128 | UNKNOWN | Chinese - PRC | RT_ICON |
132 | 2.68074 | 76 | UNKNOWN | Chinese - PRC | RT_GROUP_ICON |
1 (#2) | 3.47154 | 752 | UNKNOWN | Chinese - PRC | RT_VERSION |
1 (#3) | 5.09091 | 664 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
WINMM.dll |
WINSPOOL.DRV |
WS2_32.dll |
comdlg32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1580 | "C:\Users\admin\AppData\Local\Temp\eavzrp.exe" | C:\Users\admin\AppData\Local\Temp\eavzrp.exe | — | Explorer.EXE | |||||||||||
User: admin Company: 360.cn Integrity Level: MEDIUM Description: 360压缩 Exit code: 3221226540 Version: 4, 0, 0, 1380 Modules
| |||||||||||||||
3176 | "C:\Users\admin\AppData\Local\Temp\eavzrp.exe" | C:\Users\admin\AppData\Local\Temp\eavzrp.exe | Explorer.EXE | ||||||||||||
User: admin Company: 360.cn Integrity Level: HIGH Description: 360压缩 Exit code: 0 Version: 4, 0, 0, 1380 Modules
| |||||||||||||||
2944 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
2300 | "C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe" | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | — | Explorer.EXE | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: MEDIUM Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
3532 | "C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe" | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | Aggregatorhost.exe | ||||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
3360 | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | Aggregatorhost.exe | ||||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Version: Modules
| |||||||||||||||
2324 | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
3968 | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
2256 | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
4092 | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
|
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3176) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3176 | eavzrp.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GD099VLC.txt | text | |
MD5:CEA3FDC0C04EAEE7C9CA4FA005D0E556 | SHA256:8013A517B3491DE6B2FC5EF1DC79D525F5031386CBD8B0622436F771A4EBB5C3 | |||
3176 | eavzrp.exe | C:\Users\Public\Downloads\Misnobi\wfzggt\a.pack | binary | |
MD5:B6F208A15BDFF16406D9F33E825CFE9A | SHA256:69C2B858132E64D1642EBE4779EC2410762C3BA40F7784694FED4297A01A5938 | |||
3176 | eavzrp.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Aggregatorhost.exe | executable | |
MD5:DD9BBCDA5DC4AC0BE23E57B36BC3840E | SHA256:E9BE44B199D99D7175280EC398CD59B636584226469CB9B87E2507CDDDAF0CE2 | |||
3176 | eavzrp.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\0HIQH6FH.txt | text | |
MD5:18E6097CFCDEF92B129664BDF51C6AE4 | SHA256:FBEBAB0643FFFFEC4EEF7DB6FA5656361C2647F427EE6009A3CE45E019F055B6 | |||
3176 | eavzrp.exe | C:\Users\Public\Downloads\Tencente\wfzggt\Enpud.png | text | |
MD5:7877089862389879625BCE08DBEEF1ED | SHA256:2A7D8BC8EECB605F29576CECCB869AF247EF8B9C6B30CB4C19BE6748AF4503BB | |||
3176 | eavzrp.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\KFLTTUT8.txt | text | |
MD5:0DEAAB45162D491BC8694F4B3A962D01 | SHA256:AE7E14C357EACB651EFA73508051E0BD756DB0873EDF104087DAB2A63C7FD25A | |||
3176 | eavzrp.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\L1I2RG64.txt | text | |
MD5:ED9E84A3136B056B95E6E055FF16E5CB | SHA256:D2486448F60FB5B0580018AE19AE00CE3A4CAD1A433B823BF73C8312BA494AE1 | |||
3176 | eavzrp.exe | C:\Users\admin\AppData\Local\Aggregatorhost.exe | executable | |
MD5:DD9BBCDA5DC4AC0BE23E57B36BC3840E | SHA256:E9BE44B199D99D7175280EC398CD59B636584226469CB9B87E2507CDDDAF0CE2 | |||
3176 | eavzrp.exe | C:\Windows\system32\libcef.dll | executable | |
MD5:7B4A7F342D1705329A9F4653106C9A39 | SHA256:B46DAA955640A2E830EFC3D69A813DF722FD6D9B2C57E8249DDAA4290C1E045F | |||
3176 | eavzrp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\SA919AXF.htm | html | |
MD5:191FA40AF1B4B39253FE3EA3D9C0CE35 | SHA256:EB8365043AFCDE13F604962DA457E10D431854C769893365A837DC0494B2FF5A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3176 | eavzrp.exe | 103.235.46.40:443 | www.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | suspicious |
3360 | Aggregatorhost.exe | 216.83.53.197:8081 | — | Sun Network Hong Kong Limited - HongKong Backbone | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.baidu.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3360 | Aggregatorhost.exe | A Network Trojan was detected | ET TROJAN FatalRAT CnC Activity |
3360 | Aggregatorhost.exe | A Network Trojan was detected | ET TROJAN FatalRAT CnC Activity |
Process | Message |
---|---|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|