File name:

DarkRAT v11.2 PHP RAT пароль tr .rar

Full analysis: https://app.any.run/tasks/fd13dc6e-5cec-4e33-98b2-65ec2c8a19e9
Verdict: Malicious activity
Analysis date: July 25, 2021, 14:19:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

308F85DB85DCEF2340198F58E322423D

SHA1:

0D82C1EB74557A2EE5B8BDB7B9BDB47B91364B2B

SHA256:

B3ECC9B4A4CF5E0E96F6E99D3DFE17BE98866F4DED153CBE4C6E247622279ED1

SSDEEP:

24576:5Z0fErKVZ1m0gKCGhC3d0RwyKFke4eUo9leuc+KEcuh0zcybx8A1q0OPQ:YceDQ0YKC3dyCJxme1IZao

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Dark RAT.exe (PID: 504)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 332)
      • Dark RAT.exe (PID: 504)

    • Reads the computer name

      • WinRAR.exe (PID: 332)
      • Dark RAT.exe (PID: 504)

    • Reads Microsoft Outlook installation path

      • Dark RAT.exe (PID: 504)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 332)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 332)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 332)

    • Reads Environment values

      • Dark RAT.exe (PID: 504)

  • INFO

    • Manual execution by user

      • Dark RAT.exe (PID: 504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: DarkRAT v11.2 - Fully Working\Dark RAT.exe
PackingMethod: Normal
ModifyDate: 2011:02:27 11:29:13
OperatingSystem: Win32
UncompressedSize: 1907200
CompressedSize: 609079
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe dark rat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
332"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DarkRAT v11.2 PHP RAT ?????? tr .rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
504"C:\Users\admin\Desktop\DarkRAT v11.2 - Fully Working\Dark RAT.exe" C:\Users\admin\Desktop\DarkRAT v11.2 - Fully Working\Dark RAT.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Dark RAT
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\darkrat v11.2 - fully working\dark rat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 547
Read events
1 525
Write events
22
Delete events
0

Modification events

(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(332) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DarkRAT v11.2 PHP RAT ?????? tr .rar
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
4
Suspicious files
1
Text files
72
Unknown types
0

Dropped files

PID
Process
Filename
Type
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\avi.icoimage
MD5:42EF2C97E72607E3A8DDD0D96F49FA81
SHA256:754967BAD9025519473BE8F95EEBFA7B14FECE9A29784BA41C4103F404B96D03
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\bat.icoimage
MD5:DBFA52ACEE248C454D2E9B8129E86CB8
SHA256:09269B3283AE6299538DA4EDBE5A9BB0953F8898FFFD1FDF214CD5D0B86A1719
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\access.icoimage
MD5:BE876694840E113BEE3502506B01EC4F
SHA256:54111007011E7CC861275A32036868ED4BF6020C44F6325B9E9CCBB248935C03
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\extra\Binder\Stub.exeexecutable
MD5:8A55BF76FDC70F830442744709D21D07
SHA256:BEE31D03A675DE4BA18634B913BB303EDBB8854357DCAC687FACBCF2AFB42804
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\Dark RAT.exeexecutable
MD5:F13B1F64FA29096D69F40417180E83B2
SHA256:66512A2C31ADFE77FB66C2C824E55509BA2CCE70D158E850F0E56E3DC664F420
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\cmd.icoimage
MD5:896EFC2B6153D222239E0B0A648CFAA0
SHA256:A853C9ADB7E80F632148E13892AC4EE9F071CCC854D5E4D905A969617DE23742
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\avi98.icoimage
MD5:29ED085432F740502E7E63004D7303DA
SHA256:9C1BF5C30AC16FC0CD4036185B70D2729AA82A042106C2C3FCFA9BC8540415DE
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\cd.icoimage
MD5:3BE2B6B2AD2118BF5EAE9ACB0459898C
SHA256:920F21646E9D5D5F2ADD4122A6983CAF74FA87CF4E5E469D28157F3E6C811E16
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\contact.icoimage
MD5:D44B030E3472A8B9874F79D5DBE9C942
SHA256:017A4D10EAD6B28D3D06BB0E1C5004B6420A34A9B06F88012F538B32046D1B83
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\dll.icoimage
MD5:9510E408DBA8523E5C5857A936007389
SHA256:51990504A616F801F690F8D6A89858761DEF2AE3563EAD7B3ED0E79ED8D69F0A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DarkRAT v11.2 PHP RAT пароль tr .rar