analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Необходимо свериться за февраль-март.gz

Full analysis: https://app.any.run/tasks/95f738ad-c63a-4f7a-a959-10a430177d23
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: March 21, 2019, 10:58:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
redaman
Indicators:
MIME: application/gzip
File info: gzip compressed data, was "\315\345\356\341\365\356\344\350\354\356 \361\342\345\360\350\362\374\361\377 \347\340 \364\345\342\360\340\353\374-\354\340\360\362.exe", last modified: Tue Mar 19 21:03:23 2019, max speed, from FAT filesystem (MS-DOS, OS/2, NT)
MD5:

8FBE6389F3B9525B11D880C936066B39

SHA1:

48414AE8F9535239342FE7BF23D157499078068F

SHA256:

B9DB00DD127CA8B05B182D3018A1C9460B64174E4337A2FDE251FBB5F9DD528F

SSDEEP:

6144:xN3CJY6QsctcUWFHLaEH7nkSPHYc+aM/UIBuViq3tnbDaiPaRIk4w5065Y8O43b:xBJ6zc2LFHL/wAYc+HuViqdnbDaiPWpr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe (PID: 3100)
      • rundll32.exe (PID: 3368)
      • WinRAR.exe (PID: 2960)
      • explorer.exe (PID: 2036)
    • Application was dropped or rewritten from another process

      • Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe (PID: 3100)
    • REDAMAN was detected

      • rundll32.exe (PID: 3368)
    • Loads the Task Scheduler COM API

      • Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe (PID: 3100)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe (PID: 3100)
      • WinRAR.exe (PID: 2960)
    • Creates files in the program directory

      • Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe (PID: 3100)
    • Connects to unusual port

      • rundll32.exe (PID: 3368)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

ArchivedFileName: ?????????? ????????? ?? ???????-????.exe
OperatingSystem: FAT filesystem (MS-DOS, OS/2, NT/Win32)
ExtraFlags: Fastest Algorithm
ModifyDate: 2019:03:19 22:03:23+01:00
Flags: FileName
Compression: Deflated
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
4
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start winrar.exe íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe #REDAMAN rundll32.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Необходимо свериться за февраль-март.gz.z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3100"C:\Users\admin\AppData\Local\Temp\Rar$EXa2960.41927\Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2960.41927\Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3368rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2036C:\Windows\Explorer.EXEC:\Windows\explorer.exeSearchFilterHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
463
Read events
446
Write events
17
Delete events
0

Modification events

(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2960) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Необходимо свериться за февраль-март.gz.z
(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2036) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.z\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(2036) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.z\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3368rundll32.exeC:\Users\admin\AppData\Local\Temp\496F.tmp
MD5:
SHA256:
3368rundll32.exeC:\Users\admin\AppData\Local\Temp\nhlockkhkjkpkmfj
MD5:
SHA256:
3368rundll32.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2960.41927\Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exe
MD5:
SHA256:
3368rundll32.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2960.41927\logjacfkmbafkjmd
MD5:
SHA256:
3100Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exeC:\ProgramData\2401bf603c90\2702bc633f93.datexecutable
MD5:34496B29C41AABF7CCDF431F9ED88530
SHA256:82B27FCE56AA519C15B7FE954D7A3B8F155DEC692B4378934C1F72451F726C22
3100Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exeC:\Users\admin\AppData\Local\Temp\496F.tmpexecutable
MD5:34496B29C41AABF7CCDF431F9ED88530
SHA256:82B27FCE56AA519C15B7FE954D7A3B8F155DEC692B4378934C1F72451F726C22
2960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2960.41927\Íåîáõîäèìî ñâåðèòüñÿ çà ôåâðàëü-ìàðò.exeexecutable
MD5:00C6E8E05A3BF9A1A84F9092DD5E15CC
SHA256:EB8035345CE22D91AA9A0C72D59D52AF8F750758DFCB1924F160585F4541E95C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3368
rundll32.exe
GET
200
178.62.9.171:80
http://myip.ru/index_small.php
GB
html
323 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3368
rundll32.exe
178.62.9.171:80
myip.ru
Digital Ocean, Inc.
GB
malicious
3368
rundll32.exe
35.168.202.103:443
Amazon.com, Inc.
US
suspicious
3368
rundll32.exe
86.148.54.29:9001
British Telecommunications PLC
GB
unknown

DNS requests

Domain
IP
Reputation
myip.ru
  • 178.62.9.171
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3368
rundll32.exe
Potential Corporate Privacy Violation
ET POLICY myip.ru IP lookup
3368
rundll32.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Win32/Spy.RTM/Redaman IP Check
3368
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman) IP Check
No debug info