analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

样本.rar

Full analysis: https://app.any.run/tasks/9dc2e833-cc1e-417c-a778-01c117e8a490
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: July 18, 2019, 06:39:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
gh0st
pcrat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

7E731F00A7C9096CC067ADD7FE79AB36

SHA1:

DB28AEED2776B55BDBF30FE5BCBBD1A00B04164F

SHA256:

796C8160374733208496F23B6B27B757F24E69507C96CF8DDE394C12FC003A9B

SSDEEP:

24576:C0lpwXXFPKNtbn2Zc2gz7yFAaobBW6j6HiovKC+54iqZjYXJ85dCuYWhcn:pbOCNRFh9Pj0L+Fq5YX2A9n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 游戏位置.exe (PID: 4044)
      • Hi.exe (PID: 3092)
      • 游戏位置.exe (PID: 2148)
    • UAC/LUA settings modification

      • Hi.exe (PID: 3092)
    • Connects to CnC server

      • Hi.exe (PID: 3092)
    • GH0ST was detected

      • Hi.exe (PID: 3092)
  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 4044)
    • Executable content was dropped or overwritten

      • 游戏位置.exe (PID: 2148)
    • Starts CMD.EXE for commands execution

      • 游戏位置.exe (PID: 2148)
  • INFO

    • Manual execution by user

      • 游戏位置.exe (PID: 4044)
      • 游戏位置.exe (PID: 2148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: ??Ϸλ??\??Ϸλ??.exe
PackingMethod: Normal
ModifyDate: 2019:07:13 15:52:16
OperatingSystem: Win32
UncompressedSize: 1482240
CompressedSize: 1415174
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs 游戏位置.exe no specs 游戏位置.exe PhotoViewer.dll no specs #GH0ST hi.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3224"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\样本.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4044"C:\Users\admin\Desktop\游戏位置.exe" C:\Users\admin\Desktop\游戏位置.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
易语言程序
Exit code:
3221226540
Version:
1.0.0.0
2148"C:\Users\admin\Desktop\游戏位置.exe" C:\Users\admin\Desktop\游戏位置.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
易语言程序
Exit code:
0
Version:
1.0.0.0
4044C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3092C:\$loading\Word\Hi.exeC:\$loading\Word\Hi.exe
游戏位置.exe
User:
admin
Integrity Level:
HIGH
Description:
calculator Microsoft 基础类应用程序
Version:
1, 0, 0, 1
2844cmd /c C:\$loading\Word\EngineDP.batC:\Windows\system32\cmd.exe游戏位置.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
614
Read events
589
Write events
25
Delete events
0

Modification events

(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3224) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\样本.rar
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
1
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3224WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3224.47180\游戏位置\游戏位置.exe
MD5:
SHA256:
2148游戏位置.exeC:\Users\admin\AppData\Local\Temp\15845461234567931\TemporaryFile
MD5:
SHA256:
2148游戏位置.exeC:\$loading\Word\Xssdll.txtbinary
MD5:6821C7E361B1B0CC4A4D6C511322BC66
SHA256:AA94D5D2C18A5286CA845C405700B00E99E35F869F3AD8BE78703EFA0BD76698
2148游戏位置.exeC:\$loading\Word\EngineDP.battext
MD5:1DDD28F9B9979839EF368D564A21F872
SHA256:1368A3BE866C175406938F3D31EB78E6336EDF799AB9526CE42A273DFD2D664A
2148游戏位置.exeC:\Users\admin\Desktop\tt.jpgimage
MD5:57DF263345EEBBF992835DC03B5B4A32
SHA256:E9720E596DCA1A4EC944F46FF2D5C70E9EF68497C0BDEB18CCA877A2F852A8F3
2148游戏位置.exeC:\$loading\Word\Hi.exeexecutable
MD5:EFAA898DBEB0CF16B4B85F6DFD443145
SHA256:C5D8477D65DA1EAFF91B5AB8B30253D2DC60AEA12F3FBC120BE5869E41E548EF
2148游戏位置.exeC:\Users\admin\AppData\Local\Temp\install.zipcompressed
MD5:AC9FED83076EFFFCF82C62D8ED14F28F
SHA256:90990B2A62EF02368A661F07CD8F50F82321350DD083F9F915F64A4BAC78671C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
Hi.exe
160.19.49.189:1527
LinkChina Telecom Global Limited.
CN
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3092
Hi.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor family PCRat/Gh0st CnC traffic
No debug info