analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811

Full analysis: https://app.any.run/tasks/1a81c3f3-3cda-45f8-8267-a36202345acd
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 10:49:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
redaman
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D20A296B127A15EDBEAFD5D040DBD737

SHA1:

4E494362214B5CE744AAD5E5C023651C6D0E42DD

SHA256:

7D65BA40D84B4886D110210F917952AFFA1B639A3F7052D11CBC98C5D9CAB811

SSDEEP:

6144:1/0uoVHDw2DTmiC0WtORjAmfUfwnAO87ccRV4Ovv0a7:1J8VDTmbTSUqAzccRVwa7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 4056)
      • explorer.exe (PID: 304)
      • rundll32.exe (PID: 3936)

    • REDAMAN was detected

      • rundll32.exe (PID: 4056)

    • Changes the autorun value in the registry

      • 7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe (PID: 2792)

    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 3936)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe (PID: 2792)
      • rundll32.exe (PID: 3936)

    • Executed via Task Scheduler

      • rundll32.exe (PID: 4056)

    • Connects to server without host name

      • rundll32.exe (PID: 4056)

    • Creates files in the program directory

      • rundll32.exe (PID: 3936)

    • Uses RUNDLL32.EXE to load library

      • 7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe (PID: 2792)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:04:13 20:32:45+02:00
PEType: PE32
LinkerVersion: 7.1
CodeSize: 39424
InitializedDataSize: 220160
UninitializedDataSize: -
EntryPoint: 0x645c
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.2900.5512
ProductVersionNumber: 6.0.2900.5512
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Корпорация Майкрософт
FileDescription: Самоизвлечение CAB-файлов Win32
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
InternalName: Wextract
LegalCopyright: © Корпорация Майкрософт. Все права защищены.
OriginalFileName: WEXTRACT.EXE
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 6.00.2900.5512

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 13-Apr-2008 18:32:45
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • wextract.pdb
CompanyName: Корпорация Майкрософт
FileDescription: Самоизвлечение CAB-файлов Win32
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
InternalName: Wextract
LegalCopyright: © Корпорация Майкрософт. Все права защищены.
OriginalFilename: WEXTRACT.EXE
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 6.00.2900.5512

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 13-Apr-2008 18:32:45
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000099C8
0x00009A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57884
.data
0x0000B000
0x00001BE4
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.248
.rsrc
0x0000D000
0x00036000
0x00035800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.86422

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.85834
1088
Latin 1 / Western European
Russian - Russia
RT_VERSION
2
3.53793
296
Latin 1 / Western European
Russian - Russia
RT_ICON
63
3.35444
136
Latin 1 / Western European
Russian - Russia
RT_STRING
76
3.72032
1304
Latin 1 / Western European
Russian - Russia
RT_STRING
77
3.98993
1428
Latin 1 / Western European
Russian - Russia
RT_STRING
80
3.95368
1204
Latin 1 / Western European
Russian - Russia
RT_STRING
83
3.83652
1056
Latin 1 / Western European
Russian - Russia
RT_STRING
85
3.72449
724
Latin 1 / Western European
Russian - Russia
RT_STRING
2001
3.97078
824
Latin 1 / Western European
Russian - Russia
RT_DIALOG
2002
3.91092
396
Latin 1 / Western European
Russian - Russia
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
VERSION.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe rundll32.exe #REDAMAN rundll32.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2792"C:\Users\admin\AppData\Local\Temp\7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe" C:\Users\admin\AppData\Local\Temp\7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe
explorer.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
3936rundll32.exe 13127v.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exe
7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4056rundll32.exe "C:\ProgramData\2daf8815353e\2eac8b16363d.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
304C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
48
Read events
29
Write events
19
Delete events
0

Modification events

(PID) Process:(2792) 7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(304) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3936) rundll32.exeKey:HKEY_CURRENT_USER\Software\1795b22f0f04
Operation:writeName:41ecc984c611c3e873
Value:
EDB16EA2
(PID) Process:(3936) rundll32.exeKey:HKEY_CURRENT_USER\Software\1795b22f0f04
Operation:writeName:41ecc984c611c3e873
Value:
26670B737B7A4D1D32761183648C12CCBEC74A95E954EB03896C31E22B020262225CA024059231C5EABAE9A2890BC1449F0993B08EBA9D1A9C2FFF4C7BD5A6CCE085F0699645577EF753BF7ADBA372C75E90D2BA65701349AA5B1B49B3B83B32B81E41BA4B425E1753108BFED497F59569D40649
(PID) Process:(4056) rundll32.exeKey:HKEY_CURRENT_USER\Software\1795b22f0f04
Operation:writeName:41ecc984c611c3e873
Value:
6048D748
(PID) Process:(4056) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4056) rundll32.exeKey:HKEY_CURRENT_USER\Software\1795b22f0f04
Operation:writeName:82052e428d7349e9fe4582a7
Value:
3498B8FE5A95DB346C66DC4949458DF8C519FF42E049B95E580BF9C045D320B52C1E8658BBC8A30BD898E03C5DF98F5A2C2CAA0E282D912C510107FE1E
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
27927d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\13127v.dllexecutable
MD5:9FC4EC184E0C8DC09D9AD8328F6BBAE7
SHA256:D5AC5A09D7233CC02B01FBAEB0F331C7DA22A129CE2F8B04CAA4BD9AC5F71FA7
3936rundll32.exeC:\ProgramData\2daf8815353e\2eac8b16363d.datexecutable
MD5:9FC4EC184E0C8DC09D9AD8328F6BBAE7
SHA256:D5AC5A09D7233CC02B01FBAEB0F331C7DA22A129CE2F8B04CAA4BD9AC5F71FA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4056
rundll32.exe
POST
3.17.133.179:80
http://3.17.133.179/index.php
US
malicious
4056
rundll32.exe
POST
200
82.118.22.47:80
http://82.118.22.47/index.php
UA
text
9 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4056
rundll32.exe
3.17.133.179:80
US
malicious
4056
rundll32.exe
104.25.47.99:443
chain.so
Cloudflare Inc
US
shared
4056
rundll32.exe
82.118.22.47:80
ITL Company
UA
malicious

DNS requests

Domain
IP
Reputation
chain.so
  • 104.25.47.99
  • 104.25.48.99
whitelisted

Threats

PID
Process
Class
Message
4056
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
4056
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7d65ba40d84b4886d110210f917952affa1b639a3f7052d11cbc98c5d9cab811