analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Ratool.zip

Full analysis: https://app.any.run/tasks/1dd91a8d-566d-4cba-8997-77a6ed6aeb90
Verdict: Malicious activity
Analysis date: August 12, 2022, 13:56:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CA2A75E392532DE2B6BBB3A586DB5ECB

SHA1:

B55F2428D6ACA42CDA42D13CB262D0B80A7352A2

SHA256:

99C3FE54A4F318FA495180D0EFD25376DCE6610EB9AFA44C46E113F555D1F977

SSDEEP:

24576:DiYtxjdQcY7dgAs3tvx/x4kf6jhXT/ddDA4zk4SygAS9ToAZ2CEJ:eY3dQV83tvx/byjhXTj84z1/gAooAAV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3448)

    • Application was dropped or rewritten from another process

      • Ratool.exe (PID: 3876)
      • Ratool.exe (PID: 416)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3448)
      • Ratool.exe (PID: 3876)
      • DrvInst.exe (PID: 2972)
      • DrvInst.exe (PID: 2324)
      • DrvInst.exe (PID: 3352)

    • Checks supported languages

      • WinRAR.exe (PID: 3448)
      • Ratool.exe (PID: 3876)
      • DrvInst.exe (PID: 2972)
      • DrvInst.exe (PID: 2324)
      • DrvInst.exe (PID: 3352)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3448)

    • Reads mouse settings

      • Ratool.exe (PID: 3876)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3448)

    • Executed via COM

      • rundll32.exe (PID: 3944)
      • DrvInst.exe (PID: 2972)
      • DrvInst.exe (PID: 2324)
      • DrvInst.exe (PID: 3352)
      • rundll32.exe (PID: 1560)

    • Creates or modifies windows services

      • Ratool.exe (PID: 3876)

  • INFO

    • Checks supported languages

      • NOTEPAD.EXE (PID: 2396)
      • rundll32.exe (PID: 3944)
      • dinotify.exe (PID: 3108)
      • rundll32.exe (PID: 1560)

    • Reads the computer name

      • rundll32.exe (PID: 3944)
      • dinotify.exe (PID: 3108)

    • Checks Windows Trust Settings

      • DrvInst.exe (PID: 2972)
      • DrvInst.exe (PID: 2324)
      • DrvInst.exe (PID: 3352)

    • Reads settings of System Certificates

      • DrvInst.exe (PID: 2972)
      • DrvInst.exe (PID: 3352)
      • DrvInst.exe (PID: 2324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:05:20 11:51:12
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Ratool_v1.4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe notepad.exe no specs ratool.exe no specs ratool.exe rundll32.exe no specs drvinst.exe no specs dinotify.exe no specs drvinst.exe no specs rundll32.exe no specs drvinst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3448"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ratool.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2396"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3448.23527\Ratool.iniC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
416"C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exeWinRAR.exe
User:
admin
Company:
www.sordum.org
Integrity Level:
MEDIUM
Description:
Removable Access Tool
Exit code:
3221226540
Version:
1.4.0.0
3876"C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe
WinRAR.exe
User:
admin
Company:
www.sordum.org
Integrity Level:
HIGH
Description:
Removable Access Tool
Version:
1.4.0.0
3944rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{e3f4257d-e19b-4d4d-91d3-63b4f2c2bc34} "(null)"C:\Windows\system32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2972DrvInst.exe "1" "200" "{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01" "" "" "66583b687" "00000000" "0000039C" "00000404"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3108"C:\Windows\System32\dinotify.exe" pnpui.dll,SimplifiedDINotificationC:\Windows\System32\dinotify.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Device Installation
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2324DrvInst.exe "1" "200" "SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000001" "" "" "69911eaf3" "00000000" "000005C8" "00000640"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1560C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3352DrvInst.exe "1" "200" "SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000002" "" "" "6351683ab" "00000000" "0000063C" "00000630"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
10 338
Read events
10 160
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
6
Text files
7
Unknown types
11

Dropped files

PID
Process
Filename
Type
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24050\Ratool_v1.4\Read_me.txttext
MD5:DD943471DB59DA2D0ED51C4C91B63F03
SHA256:DF6C183F66D23E87B33E58ACA1313E6AAE8283D6C259EBA78313177CBCA10603
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3448.23527\Ratool.initext
MD5:48BCA3D2A69A56953EDFE830FD8560C9
SHA256:0908A366B1FF6ED375C42D583615860C365F3EA0F9C840DCF244E7C34147F57B
2972DrvInst.exeC:\Windows\INF\setupapi.ev2binary
MD5:E2942171BC9F8B17E3E1142402B1AB97
SHA256:8B47E258B08C46F1CFC99A7D547734B9751A278D537390A33DFA90D744DEDEA5
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24050\Ratool_v1.4\Ratool_x64.exeexecutable
MD5:696EE9B9E12B9657C75F5FA4B60C7D5E
SHA256:4A740E6001C7B0F5DEBEF0E28D4B6DB0BF07AD98F9037E04EF913C2CBCCC1E0D
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.initext
MD5:48BCA3D2A69A56953EDFE830FD8560C9
SHA256:0908A366B1FF6ED375C42D583615860C365F3EA0F9C840DCF244E7C34147F57B
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool_x64.exeexecutable
MD5:696EE9B9E12B9657C75F5FA4B60C7D5E
SHA256:4A740E6001C7B0F5DEBEF0E28D4B6DB0BF07AD98F9037E04EF913C2CBCCC1E0D
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24050\Ratool_v1.4\Ratool.initext
MD5:48BCA3D2A69A56953EDFE830FD8560C9
SHA256:0908A366B1FF6ED375C42D583615860C365F3EA0F9C840DCF244E7C34147F57B
3876Ratool.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:1A0F235F89F4D04F1AEDA5F70BAACCF0
SHA256:FB28B2D3452E3CF432F83C80860D9FCF45A798B2E557BDD0C3FB790A6080042F
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Read_me.txttext
MD5:DD943471DB59DA2D0ED51C4C91B63F03
SHA256:DF6C183F66D23E87B33E58ACA1313E6AAE8283D6C259EBA78313177CBCA10603
2972DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_x86_neutral_efa659e9a38d5b8c\vhdmp.PNFpnf
MD5:677F2BB0CD9BF36113F249D57F9A15C9
SHA256:94A01E4AA3CDC79DE76AF4D7D8650AC552981ACE0ED4C7B8967B9576BCCC6E24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Ratool.zip