File name: | 888_Private_RAT_-_Cracked.rar |
Full analysis: | https://app.any.run/tasks/ce5b0b6f-77be-4aad-aba3-0f5d2e8b13c6 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | September 29, 2020, 23:45:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 4866DE7B558A7539472A1B9A2B703051 |
SHA1: | 1DF0D533272F79BB15648F48E3753CEFD216E358 |
SHA256: | 9CBE1FB81E84EE2937BCA373A8ADD3B22ED3C4F85CF0A25AE14877DACC185671 |
SSDEEP: | 196608:1H+UaisCDdKWoNhX++nNiDDTGwWxG3HlzXeQOjAZvCvM0hAe:9+u7IWoNhu0gyM3HlzXreAvCv1ye |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
CompressedSize: | 6900011 |
---|---|
UncompressedSize: | 7395840 |
OperatingSystem: | Win32 |
ModifyDate: | 2016:12:23 13:10:27 |
PackingMethod: | Normal |
ArchivedFileName: | 888 Private RAT - Cracked\888 Private RAT - Cracked.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2668 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\888_Private_RAT_-_Cracked.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1924 | "C:\Users\admin\Desktop\888 Private RAT - Cracked\888 Private RAT - Cracked.exe" | C:\Users\admin\Desktop\888 Private RAT - Cracked\888 Private RAT - Cracked.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2996 | "C:\Users\admin\AppData\Local\Temp\flagx.exe" | C:\Users\admin\AppData\Local\Temp\flagx.exe | — | 888 Private RAT - Cracked.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2424 | C:\Windows\system32\cmd.exe /c Obfuscator.exe Server.au3 | C:\Windows\system32\cmd.exe | — | 888 Private RAT - Cracked.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1916 | Obfuscator.exe Server.au3 | C:\Users\admin\AppData\Local\Temp\Obfuscator.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Description: Strip and/or Obfuscate your AutoIt3 scripts. Exit code: 5 Version: 1.0.31.0 | ||||
3268 | C:\Users\admin\AppData\Local\Temp\Aut2exe.exe /in C:\Users\admin\AppData\Local\Temp/Server.au3 /out C:\Users\admin\AppData\Local\Temp/WLTPRL.exe /icon C:\Users\admin\AppData\Local\Temp\ssc.ico /comp 2 /pack /Unicode | C:\Users\admin\AppData\Local\Temp\Aut2exe.exe | 888 Private RAT - Cracked.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: Aut2Exe Exit code: 0 Version: 3, 3, 8, 1 | ||||
4084 | "C:\Users\admin\AppData\Local\Temp\upx.exe" --best --compress-icons=0 "C:\Users\admin\AppData\Local\Temp\WLTPRL.exe" | C:\Users\admin\AppData\Local\Temp\upx.exe | Aut2exe.exe | |
User: admin Company: The UPX Team http://upx.sf.net Integrity Level: MEDIUM Description: UPX executable packer Exit code: 0 Version: 3.07 (2010-09-08) | ||||
3364 | "C:\Program Files\Internet Explorer\iexplore.exe" http://canyouseeme.org/ | C:\Program Files\Internet Explorer\iexplore.exe | — | 888 Private RAT - Cracked.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2980 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3364 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3016 | "C:\Program Files\Internet Explorer\iexplore.exe" http://canyouseeme.org/ | C:\Program Files\Internet Explorer\iexplore.exe | — | 888 Private RAT - Cracked.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\888_Private_RAT_-_Cracked.rar | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (2668) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp |
PID | Process | Filename | Type | |
---|---|---|---|---|
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\autFEF.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\ylqcitt | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut108C.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut109D.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut10BD.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut10DE.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut10FE.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut2FD1.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut2FD2.tmp | — | |
MD5:— | SHA256:— | |||
1924 | 888 Private RAT - Cracked.exe | C:\Users\admin\AppData\Local\Temp\aut2FE3.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2980 | iexplore.exe | GET | 200 | 2.16.186.11:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQy2pThv%2BNvQXjbWx4tjWAp%2BA%3D%3D | unknown | der | 527 b | whitelisted |
2980 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAza7o%2F6OJWW7D4ii9B5OMQ%3D | US | der | 280 b | whitelisted |
2980 | iexplore.exe | GET | 200 | 2.16.186.11:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
3092 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAza7o%2F6OJWW7D4ii9B5OMQ%3D | US | der | 280 b | whitelisted |
3092 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAza7o%2F6OJWW7D4ii9B5OMQ%3D | US | der | 280 b | whitelisted |
1052 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2980 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAza7o%2F6OJWW7D4ii9B5OMQ%3D | US | der | 280 b | whitelisted |
2980 | iexplore.exe | GET | 302 | 52.202.215.126:80 | http://canyouseeme.org/ | US | html | 287 b | whitelisted |
3092 | iexplore.exe | GET | 302 | 52.202.215.126:80 | http://canyouseeme.org/ | US | html | 287 b | whitelisted |
2476 | KKCYMOgpj.EXE | GET | 200 | 188.138.68.212:80 | http://ip-score.com/checkip/ | DE | html | 9.64 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2980 | iexplore.exe | 2.16.186.11:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
2980 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2980 | iexplore.exe | 52.202.215.126:80 | canyouseeme.org | Amazon.com, Inc. | US | unknown |
2980 | iexplore.exe | 172.217.22.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2980 | iexplore.exe | 104.16.122.175:443 | unpkg.com | Cloudflare Inc | US | shared |
2980 | iexplore.exe | 52.202.215.126:443 | canyouseeme.org | Amazon.com, Inc. | US | unknown |
2980 | iexplore.exe | 216.58.205.226:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
3092 | iexplore.exe | 52.202.215.126:80 | canyouseeme.org | Amazon.com, Inc. | US | unknown |
— | — | 172.217.22.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3092 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
canyouseeme.org |
| unknown |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
unpkg.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ip-score.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2476 | KKCYMOgpj.EXE | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2476 | KKCYMOgpj.EXE | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-score.com |