File name:

M0AB RAT V6.rar

Full analysis: https://app.any.run/tasks/9c15d35e-b0f3-436c-8d94-717293a346ba
Verdict: Malicious activity
Analysis date: March 10, 2024, 17:25:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BFF7A7A22BDC728A4F4576ED6EBAA559

SHA1:

FF2473570EB1C8B818ED655E91B7BC33DEDE499B

SHA256:

B0B39548818D2B5DC4BA77C82DBEE37E08DCCA438C9DF7B158126700FE737707

SSDEEP:

98304:4oeqHXesstKIMZxOGxkSuQrZROTQ9O68bzC084VCL2qR4sSqPtHnYrRnq6CtFZFT:wsQxy/3A4ff9f9rj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 3972)
      • M0AB.exe (PID: 2580)

    • Changes the autorun value in the registry

      • M0AB.exe (PID: 2580)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • M0AB.exe (PID: 2580)

    • Reads the Internet Settings

      • M0AB.exe (PID: 2580)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Reads the computer name

      • M0AB.exe (PID: 2580)

    • Checks supported languages

      • M0AB.exe (PID: 2580)

    • Manual execution by a user

      • M0AB.exe (PID: 2580)
      • M0AB.exe (PID: 3460)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • M0AB.exe (PID: 2580)

    • Creates files or folders in the user directory

      • M0AB.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe m0ab.exe no specs m0ab.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exe" C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exe
explorer.exe
User:
admin
Company:
M0AB SOFTWARE
Integrity Level:
HIGH
Description:
M0AB RAT
Exit code:
0
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\m0ab rat v6\m0ab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3460"C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exe" C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exeexplorer.exe
User:
admin
Company:
M0AB SOFTWARE
Integrity Level:
MEDIUM
Description:
M0AB RAT
Exit code:
3221226540
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\m0ab rat v6\m0ab.exe
c:\windows\system32\ntdll.dll
3972"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\M0AB RAT V6.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 987
Read events
3 966
Write events
21
Delete events
0

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\M0AB RAT V6.rar
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
15
Suspicious files
0
Text files
231
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Actobat Reader-01.icoimage
MD5:AF29C296EFAF80F545741B63526DF67B
SHA256:C672CD2FF5F70B517AB3E8747B5DE99CD6998AFDD56D720B5A6A3C8190E08DDE
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\ar\Black Worm.resources.dllexecutable
MD5:34870563A5AD1DE827053DD8F2856023
SHA256:E236F0992D17A42D027585F08D9103687AE0984698203115267FE6B2F90EC0E7
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Access 2013.icoimage
MD5:E66042DFAFB9D5F7DA3FC54B92B8F648
SHA256:78999EF2A6A86F4BBF9933D76B32B495838E3DC75FA153FE0C3DE783D144435B
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Creative Cloud-01.icoimage
MD5:954F11E6242CD0A402F73100475B4D9C
SHA256:42F00C197EB32E4FC492E14409CDE578A756E4E27CE25C853128744661C23BCA
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Actobat Pro-01.icoimage
MD5:BAFA8B8E644E99EB44D1FD65591A2A3E
SHA256:D9AEC11769266E9A01FB7030346E80976609D97A5649DF348674B18ED67B7E32
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe In Design-01.icoimage
MD5:46D58E5C3C9BC6CD4783689E8326FA53
SHA256:EE13CBC439A7786BDF99D74AB8966D5258D219FBB8A655831078314AE39659E8
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Actobat Pro DC-01.icoimage
MD5:4169344FA37A70F350B95392D7D90213
SHA256:189957C664D592DD3E58ACDC6D9CCA7A73DF88B8FF4976B4209FDE52F4E6329D
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Illustrator-01.icoimage
MD5:7FC38531A23CF525D31E28B9B67CA8B6
SHA256:E5C2BE951421FC232FB1445BC7CF550F8096191A53822A9A3F1E1034C080D365
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe After Effects-01.icoimage
MD5:F977F0EC55278577A6CF57F375FCC508
SHA256:6F62CA11DE88082A7D0907E2DD2F42BDB2D544E0890F629E842DBC704F2547CD
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\after-effects.icoimage
MD5:67269D858EAB0148C27EFA418DA81242
SHA256:442307AD26024E844B931DFB202641ABBAB9D39A7B9C268A8839BF10859B8564
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
M0AB RAT V6.rar