analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

54545.rar

Full analysis: https://app.any.run/tasks/fe8671a3-cb21-42cc-a226-da09e09277db
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: August 08, 2020, 10:26:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B837EC3418F5BE6B0F680FA37EF047A8

SHA1:

0F199F209A19DF648AEB15706F0FAEF5D998D24E

SHA256:

6FE05047C64E93B50B90421F45EA066A114D2DF30F29E97D92F163E6F10EDC8B

SSDEEP:

384:hvj+B1L55H7b/n8WWwpMam7WFxgd3fwkhf8g+q9W7NN:5+B195H//8WRhmEONwsXVI7NN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3424)

    • Uses Task Scheduler to autorun other applications

      • WScript.exe (PID: 3424)

    • Changes the login/logoff helper path in the registry

      • WScript.exe (PID: 3424)

    • Writes to a start menu file

      • WScript.exe (PID: 3424)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 340)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3424)

    • Reads Internet Cache Settings

      • WScript.exe (PID: 3424)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 3424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\54545.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3424"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\54545.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
340"C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /RL HIGHEST /tn 54545.vbs /tr "C:\Users\admin\AppData\Roaming\54545.vbs"C:\Windows\System32\schtasks.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
599
Read events
563
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3424WScript.exeC:\Users\admin\AppData\Roaming\54545.vbstext
MD5:D7119C86DC22BAD02514C233F977A6E2
SHA256:E40E2808E62352CCBF6067EF6E22654302EFC5B77B39A668D78EB038AD1CC471
3424WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54545.vbstext
MD5:D7119C86DC22BAD02514C233F977A6E2
SHA256:E40E2808E62352CCBF6067EF6E22654302EFC5B77B39A668D78EB038AD1CC471
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.23342\54545.vbstext
MD5:D7119C86DC22BAD02514C233F977A6E2
SHA256:E40E2808E62352CCBF6067EF6E22654302EFC5B77B39A668D78EB038AD1CC471
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
WScript.exe
POST
404
77.222.61.114:80
http://malwrtest.temp.swtest.ru/gate.php
RU
html
322 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3424
WScript.exe
77.222.61.114:80
malwrtest.temp.swtest.ru
SpaceWeb Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
malwrtest.temp.swtest.ru
  • 77.222.61.114
malicious

Threats

PID
Process
Class
Message
3424
WScript.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
54545.rar