File name:

ProSpy RAT 2012.rar

Full analysis: https://app.any.run/tasks/16e4896f-db14-4d6f-88a3-ef1a6563722e
Verdict: Malicious activity
Analysis date: February 21, 2024, 14:09:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

3B6AA29CFAE642AEE91C644A676E77CC

SHA1:

6647B44CAA78F4C097725C4BE2377E620564304E

SHA256:

A1F89234306B972A6B97E1A68444F88A1A969CDA63BCF92AB00364C95ED984FC

SSDEEP:

98304:qNnZW6XGD1rXogKsgAhIyE4EfOczYTnjc+zprbbXXCAmhEmXqJ+wILkVcUGJRLO2:Z8ehXkj0dlQBs09

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Server_Builder.exe (PID: 3932)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3668)

    • Detected use of alternative data streams (AltDS)

      • Server_Builder.exe (PID: 3932)

    • Executable content was dropped or overwritten

      • Server_Builder.exe (PID: 3932)

    • Reads the Internet Settings

      • Server_Builder.exe (PID: 3932)

    • Reads security settings of Internet Explorer

      • Server_Builder.exe (PID: 3932)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3668)

    • Reads the machine GUID from the registry

      • Server_Builder.exe (PID: 3932)
      • pro-spy1.exe (PID: 2860)

    • Manual execution by a user

      • Server_Builder.exe (PID: 3932)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3668)

    • Checks supported languages

      • Server_Builder.exe (PID: 3932)
      • pro-spy1.exe (PID: 2860)
      • Server_Builder.exe (PID: 2580)

    • Reads the computer name

      • Server_Builder.exe (PID: 3932)
      • pro-spy1.exe (PID: 2860)

    • Create files in a temporary directory

      • Server_Builder.exe (PID: 3932)

    • Reads Environment values

      • Server_Builder.exe (PID: 3932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 147
UncompressedSize: 256
OperatingSystem: Win32
ModifyDate: 2013:09:25 21:38:36
PackingMethod: Good Compression
ArchivedFileName: ProSpy RAT 2012\!leeme?.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe server_builder.exe server_builder.exe no specs pro-spy1.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Users\admin\AppData\Local\Temp\Server_Builder.exe" C:\Users\admin\AppData\Local\Temp\Server_Builder.exeServer_Builder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\server_builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2860"C:\Users\admin\AppData\Local\Temp\pro-spy1.exe" C:\Users\admin\AppData\Local\Temp\pro-spy1.exe
Server_Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\pro-spy1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3668"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ProSpy RAT 2012.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3932"C:\Users\admin\Desktop\ProSpy RAT 2012\Server_Builder.exe" C:\Users\admin\Desktop\ProSpy RAT 2012\Server_Builder.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\prospy rat 2012\server_builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
7 025
Read events
7 005
Write events
20
Delete events
0

Modification events

(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3668) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ProSpy RAT 2012.rar
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
26
Suspicious files
0
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\!leeme¡.txttext
MD5:B978EF61E761B84DDF5FAF345A400CB7
SHA256:229100E7818236813D9CD4C9557FA8B68892A161452F497527C4CBF01B107479
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\Codejock.Controls.v13.0.0.Demo.ocxexecutable
MD5:55494584D369F207E6E1B071E7168EC0
SHA256:025EFDC63C61B3567DC8EB244517C715DDA12CF2AA4BC595E427E8D7B751FED7
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\COMCTL32.DLLexecutable
MD5:A77DFB85FAEE49D66C74DA6024EBC69B
SHA256:587FDA8821B611B213ADFEEA7B94E8B3A83870F843D46AF0335584832E9D8644
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\Codejock.CommandBars.v13.0.0.Demo.ocxexecutable
MD5:CF73808B6F9C7B52EFF7719BA909FED8
SHA256:3C3BDA5BEC1868F44FD1F16E9364644DFAA4D196521AC35CB176EFE522AFC8BB
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\MSCOMCTL.OCXexecutable
MD5:ECC7D7F0D3446DE36045D1D9E964FAFE
SHA256:BC58D624CEEA02AB086F1CCE809C992BF5A7105E88931853317A2F5AA5AFD6E4
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\MSFLXGRD.OCXexecutable
MD5:06EE7BB3C681B9FA8AF4280A154EE133
SHA256:F2A67EB2888D8889C45576C037197C310FBBB00BB79089760508FDB132C690D2
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\COD3EF~1.OCAexecutable
MD5:B39C800840B7F88B3512B77BB95DF86C
SHA256:5E4D50E0BA13AB0845E58C4AE5E00C5F2B337EEA7CFE0F7F6958DBECC23E353F
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\dataout.dattext
MD5:2DD8CAF58454AADD3B6DF9EA28266F35
SHA256:A19C43DA4F87A5573A3C2141ED3A53CB6D779BD87A7E2EB135786767CFBB0173
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CONFIG.INItext
MD5:EF1C682DAAA74ABADA940E9F5E1A7B91
SHA256:B67FCD7DCA99EB80AFE0207B71049A125CB3119DC2E9279290CF13D9579FA3C6
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3668.7553\ProSpy RAT 2012\CODEJOCK\COMDLG32.OCXexecutable
MD5:D76F0EAB36F83A31D411AEAF70DA7396
SHA256:46F4FDB12C30742FF4607876D2F36CF432CDC7EC3D2C99097011448FC57E997C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ProSpy RAT 2012.rar