File name:

DarkRAT v11.2 PHP RAT пароль tr .rar

Full analysis: https://app.any.run/tasks/fd13dc6e-5cec-4e33-98b2-65ec2c8a19e9
Verdict: Malicious activity
Analysis date: July 25, 2021, 14:19:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

308F85DB85DCEF2340198F58E322423D

SHA1:

0D82C1EB74557A2EE5B8BDB7B9BDB47B91364B2B

SHA256:

B3ECC9B4A4CF5E0E96F6E99D3DFE17BE98866F4DED153CBE4C6E247622279ED1

SSDEEP:

24576:5Z0fErKVZ1m0gKCGhC3d0RwyKFke4eUo9leuc+KEcuh0zcybx8A1q0OPQ:YceDQ0YKC3dyCJxme1IZao

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Dark RAT.exe (PID: 504)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 332)
      • Dark RAT.exe (PID: 504)

    • Reads the computer name

      • WinRAR.exe (PID: 332)
      • Dark RAT.exe (PID: 504)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 332)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 332)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 332)

    • Reads Environment values

      • Dark RAT.exe (PID: 504)

    • Reads Microsoft Outlook installation path

      • Dark RAT.exe (PID: 504)

  • INFO

    • Manual execution by user

      • Dark RAT.exe (PID: 504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: DarkRAT v11.2 - Fully Working\Dark RAT.exe
PackingMethod: Normal
ModifyDate: 2011:02:27 11:29:13
OperatingSystem: Win32
UncompressedSize: 1907200
CompressedSize: 609079
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe dark rat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
332"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DarkRAT v11.2 PHP RAT ?????? tr .rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
504"C:\Users\admin\Desktop\DarkRAT v11.2 - Fully Working\Dark RAT.exe" C:\Users\admin\Desktop\DarkRAT v11.2 - Fully Working\Dark RAT.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Dark RAT
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\darkrat v11.2 - fully working\dark rat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 547
Read events
1 525
Write events
22
Delete events
0

Modification events

(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(332) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DarkRAT v11.2 PHP RAT ?????? tr .rar
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
4
Suspicious files
1
Text files
72
Unknown types
0

Dropped files

PID
Process
Filename
Type
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\avi98.icoimage
MD5:29ED085432F740502E7E63004D7303DA
SHA256:9C1BF5C30AC16FC0CD4036185B70D2729AA82A042106C2C3FCFA9BC8540415DE
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\cd.icoimage
MD5:3BE2B6B2AD2118BF5EAE9ACB0459898C
SHA256:920F21646E9D5D5F2ADD4122A6983CAF74FA87CF4E5E469D28157F3E6C811E16
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\bmp.icoimage
MD5:96532507BE2FD90C6A35EE7363A21F9E
SHA256:54A4CF4135149DEB3330A03885761721C392CEBC5807F483ACF747B35BF0D8E7
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\bat.icoimage
MD5:DBFA52ACEE248C454D2E9B8129E86CB8
SHA256:09269B3283AE6299538DA4EDBE5A9BB0953F8898FFFD1FDF214CD5D0B86A1719
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\extra\Binder\Stub.exeexecutable
MD5:8A55BF76FDC70F830442744709D21D07
SHA256:BEE31D03A675DE4BA18634B913BB303EDBB8854357DCAC687FACBCF2AFB42804
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\avi.icoimage
MD5:42EF2C97E72607E3A8DDD0D96F49FA81
SHA256:754967BAD9025519473BE8F95EEBFA7B14FECE9A29784BA41C4103F404B96D03
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\access.icoimage
MD5:BE876694840E113BEE3502506B01EC4F
SHA256:54111007011E7CC861275A32036868ED4BF6020C44F6325B9E9CCBB248935C03
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\doc2003.icoimage
MD5:833317C2DE3C4B321CC5B482DB56787B
SHA256:6B34ADA9721EF6CF66E802869658A05977DC7AF639C0397CCA750591DB0568EA
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\ico\dll.icoimage
MD5:9510E408DBA8523E5C5857A936007389
SHA256:51990504A616F801F690F8D6A89858761DEF2AE3563EAD7B3ED0E79ED8D69F0A
332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb332.44080\DarkRAT v11.2 - Fully Working\extra\Binder\Unlimited File Downloader.exeexecutable
MD5:CB3F51FEC0555F98EE592F1849CC8833
SHA256:8A4FCB53F64C79E74399D228582E80979DC95EAFE52AC7708BD353284FD8F35B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DarkRAT v11.2 PHP RAT пароль tr .rar