File name:

M0AB RAT V6.rar

Full analysis: https://app.any.run/tasks/9c15d35e-b0f3-436c-8d94-717293a346ba
Verdict: Malicious activity
Analysis date: March 10, 2024, 17:25:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BFF7A7A22BDC728A4F4576ED6EBAA559

SHA1:

FF2473570EB1C8B818ED655E91B7BC33DEDE499B

SHA256:

B0B39548818D2B5DC4BA77C82DBEE37E08DCCA438C9DF7B158126700FE737707

SSDEEP:

98304:4oeqHXesstKIMZxOGxkSuQrZROTQ9O68bzC084VCL2qR4sSqPtHnYrRnq6CtFZFT:wsQxy/3A4ff9f9rj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 3972)
      • M0AB.exe (PID: 2580)

    • Changes the autorun value in the registry

      • M0AB.exe (PID: 2580)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • M0AB.exe (PID: 2580)

    • Reads the Internet Settings

      • M0AB.exe (PID: 2580)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)

    • Reads the computer name

      • M0AB.exe (PID: 2580)

    • Checks supported languages

      • M0AB.exe (PID: 2580)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Manual execution by a user

      • M0AB.exe (PID: 2580)
      • M0AB.exe (PID: 3460)

    • Reads the machine GUID from the registry

      • M0AB.exe (PID: 2580)

    • Creates files or folders in the user directory

      • M0AB.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe m0ab.exe no specs m0ab.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exe" C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exe
explorer.exe
User:
admin
Company:
M0AB SOFTWARE
Integrity Level:
HIGH
Description:
M0AB RAT
Exit code:
0
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\m0ab rat v6\m0ab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3460"C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exe" C:\Users\admin\Desktop\M0AB RAT V6\M0AB.exeexplorer.exe
User:
admin
Company:
M0AB SOFTWARE
Integrity Level:
MEDIUM
Description:
M0AB RAT
Exit code:
3221226540
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\m0ab rat v6\m0ab.exe
c:\windows\system32\ntdll.dll
3972"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\M0AB RAT V6.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 987
Read events
3 966
Write events
21
Delete events
0

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\M0AB RAT V6.rar
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
15
Suspicious files
0
Text files
231
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Access 2013.icoimage
MD5:E66042DFAFB9D5F7DA3FC54B92B8F648
SHA256:78999EF2A6A86F4BBF9933D76B32B495838E3DC75FA153FE0C3DE783D144435B
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Actobat Pro DC-01.icoimage
MD5:4169344FA37A70F350B95392D7D90213
SHA256:189957C664D592DD3E58ACDC6D9CCA7A73DF88B8FF4976B4209FDE52F4E6329D
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Creative Cloud-01.icoimage
MD5:954F11E6242CD0A402F73100475B4D9C
SHA256:42F00C197EB32E4FC492E14409CDE578A756E4E27CE25C853128744661C23BCA
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Acrobat Reader.icoimage
MD5:6E296F593F3CA103E66FDC81BC458BA6
SHA256:685CDD5FEAB1B64A510B4939D81D49B7187943FA185DF8D1F6E7D35DEAC32195
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe After Effects-01.icoimage
MD5:F977F0EC55278577A6CF57F375FCC508
SHA256:6F62CA11DE88082A7D0907E2DD2F42BDB2D544E0890F629E842DBC704F2547CD
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\3ds Max.icoimage
MD5:36A455916AA2970099E120CE7094163A
SHA256:EFD65A02D2626F7DA71AFABB4702781FDB1BA5CD957505A2464EBC9DB848900B
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Actobat Reader-01.icoimage
MD5:AF29C296EFAF80F545741B63526DF67B
SHA256:C672CD2FF5F70B517AB3E8747B5DE99CD6998AFDD56D720B5A6A3C8190E08DDE
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Illustrator-01.icoimage
MD5:7FC38531A23CF525D31E28B9B67CA8B6
SHA256:E5C2BE951421FC232FB1445BC7CF550F8096191A53822A9A3F1E1034C080D365
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Premiere-01.icoimage
MD5:24AFE2DFF0561A8386B33FC8A462478E
SHA256:A8394B221F7ED2D0662721733B623D8758E619E1263FC4FEDE973F7CFF7813E1
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3972.4098\M0AB RAT V6\icons\Adobe Photoshop-01.icoimage
MD5:0024BC84041437FEE8E9F0877F29C766
SHA256:91184EDD4F3DC48125BBBA2119F5B8F9345E2BE79BA69B89B7B123134586741B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
M0AB RAT V6.rar