analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

AbkoRAT_By_Kjh.exe

Full analysis: https://app.any.run/tasks/c2e703d6-7f4e-419b-8067-83a13cb45343
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 20, 2024, 18:06:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
themida
dyndns
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BE74505360F04AD9E16A34D13344627F

SHA1:

D622ED0892FFD279A26D241445FEE3593C0ACE08

SHA256:

B9F374C7E415C1143AAB8E6D2AC26C682EDC7E5442BE1DB1A9B604DD58A29038

SSDEEP:

98304:Tw9SdZ6lXHtZ47p517PCzqD2Xwz/TiZ0CwLti018XlW4hG0LVWG4YjNcoKBa2aIq:a+09qO4raFU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 2900)
      • server.exe (PID: 1620)

    • Changes the autorun value in the registry

      • server.exe (PID: 1980)
      • server.exe (PID: 1620)

    • Steals credentials from Web Browsers

      • server.exe (PID: 1620)
      • tmpC74A.tmp (PID: 3016)

    • Actions looks like stealing of personal data

      • server.exe (PID: 1620)
      • tmpC74A.tmp (PID: 3016)

    • Steals credentials

      • tmpC74A.tmp (PID: 3016)
      • AbkoRAT_By_Kjh.exe (PID: 3268)

    • Uses NirSoft utilities to collect credentials

      • tmpC74A.tmp (PID: 3016)

  • SUSPICIOUS

    • Reads the BIOS version

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 1620)

    • There is functionality for communication dyndns network (YARA)

      • AbkoRAT_By_Kjh.exe (PID: 3268)

    • Executable content was dropped or overwritten

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 2900)
      • server.exe (PID: 1620)

    • Reads security settings of Internet Explorer

      • server.exe (PID: 2900)
      • server.exe (PID: 1980)

    • Reads the Internet Settings

      • server.exe (PID: 2900)
      • server.exe (PID: 1980)

    • Starts itself from another location

      • server.exe (PID: 2900)

    • Application launched itself

      • server.exe (PID: 1980)

    • Starts application with an unusual extension

      • server.exe (PID: 1620)

    • Loads DLL from Mozilla Firefox

      • tmpC74A.tmp (PID: 3016)

    • Reads the Windows owner or organization settings

      • server.exe (PID: 1620)

    • Creates file in the systems drive root

      • server.exe (PID: 1620)

  • INFO

    • Checks supported languages

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 2900)
      • server.exe (PID: 1980)
      • server.exe (PID: 1620)
      • tmpC74A.tmp (PID: 3016)

    • Reads the machine GUID from the registry

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 1980)
      • server.exe (PID: 1620)
      • tmpC74A.tmp (PID: 3016)

    • Create files in a temporary directory

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 2900)
      • server.exe (PID: 1620)
      • tmpC74A.tmp (PID: 3016)

    • Reads the computer name

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 1980)
      • server.exe (PID: 2900)
      • server.exe (PID: 1620)
      • tmpC74A.tmp (PID: 3016)

    • Themida protector has been detected

      • AbkoRAT_By_Kjh.exe (PID: 3268)

    • Reads Environment values

      • AbkoRAT_By_Kjh.exe (PID: 3268)
      • server.exe (PID: 1980)
      • server.exe (PID: 1620)

    • .NET Reactor protector has been detected

      • AbkoRAT_By_Kjh.exe (PID: 3268)

    • Manual execution by a user

      • server.exe (PID: 2900)

    • NirSoft software is detected

      • tmpC74A.tmp (PID: 3016)

    • Reads CPU info

      • server.exe (PID: 1620)

    • Reads product name

      • server.exe (PID: 1620)

    • Reads Windows Product ID

      • server.exe (PID: 1620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: AbkoRAT
OriginalFileName: AbkoRAT.exe
LegalCopyright: Copyright © 2020 Kjh
InternalName: AbkoRAT.exe
FileVersion: 1.0.0.0
FileDescription: AbkoRAT
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x69e000
UninitializedDataSize: -
InitializedDataSize: 28672
CodeSize: 2444288
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2017:04:28 02:20:47+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT abkorat_by_kjh.exe server.exe server.exe server.exe netstat.exe no specs tmpc74a.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3268"C:\Users\admin\Desktop\AbkoRAT_By_Kjh.exe" C:\Users\admin\Desktop\AbkoRAT_By_Kjh.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AbkoRAT
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\abkorat_by_kjh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2900"C:\Users\admin\Desktop\server.exe" C:\Users\admin\Desktop\server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1980"C:\Users\admin\AppData\Local\Temp\server.exe" C:\Users\admin\AppData\Local\Temp\server.exe
server.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1620"C:\Users\admin\AppData\Local\Temp\server.exe" C:\Users\admin\AppData\Local\Temp\server.exe
server.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1384"netstat" -noC:\Windows\System32\NETSTAT.EXEserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
3016C:\Users\admin\AppData\Local\Temp\tmpC74A.tmp /stext C:\Users\admin\AppData\Local\Temp\tmpC74A.tmp.txtC:\Users\admin\AppData\Local\Temp\tmpC74A.tmp
server.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
WebBrowserPassView
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\appdata\local\temp\tmpc74a.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
8 679
Read events
8 654
Write events
25
Delete events
0

Modification events

(PID) Process:(2900) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2900) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2900) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2900) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1980) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:{3g26zleo6-8163-7334-flw9-v1o10a0y336h}
Value:
"C:\Users\admin\AppData\Local\Temp\server.exe" /**
(PID) Process:(1980) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1980) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1980) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1980) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1620) server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:{3g26zleo6-8163-7334-flw9-v1o10a0y336h}
Value:
"C:\Users\admin\AppData\Local\Temp\server.exe" /**
Executable files
4
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3016tmpC74A.tmpC:\Users\admin\AppData\Local\Temp\bhvC798.tmp
MD5:
SHA256:
3268AbkoRAT_By_Kjh.exeC:\Users\admin\AppData\Local\Temp\_ght\Config.dattext
MD5:CA490E2DBA1310E35C57F03234E91212
SHA256:FB96ECC5165DF80F6C5AA4D5EE850FB91D19302D9CC1848289D3765C7B0FABA1
3268AbkoRAT_By_Kjh.exeC:\Users\admin\Desktop\Files\USER-PC_admin_Microsoft Windows 7 Professional\PC-Informations.txttext
MD5:83F9B9DD26E46C2666B65AAF30C66CED
SHA256:B7CBCCA48C9CF4FCEAB7AFE2B014C5AFD647E91E0155790C13BD4EB6E1652C9D
3268AbkoRAT_By_Kjh.exeC:\Users\admin\AppData\Local\Temp\_ght\stub.ghtexecutable
MD5:C28079388C1DD0661FE749AA3F7985F9
SHA256:ABD99180097530234A1BE4E9433D2A6C34F841C67FAEEAEBAC4B3F118449EE43
3268AbkoRAT_By_Kjh.exeC:\Users\admin\Desktop\Files\USER-PC_admin_Microsoft Windows 7 Professional\Passwords.txttext
MD5:0AE331B1212EC662C8AC88F677F4A346
SHA256:5504A6262A67008154F8918E707C5614798019C74C89773DD8D828C10384DF22
1620server.exeC:\Users\admin\AppData\Local\Temp\tmpC74A.tmpexecutable
MD5:6D95F03EAF83B31686F263260202EE36
SHA256:29F2A54C829C37FC904A2B682C50B57D6D35E9AF5DC7F43D72B68C8C51255103
3268AbkoRAT_By_Kjh.exeC:\Users\admin\Desktop\server.exeexecutable
MD5:0BF502B2EDC1737EBDD7E7396289F8E4
SHA256:C3982DDAE61372A11B21B1A44A3E8F158BD5F1B1497E03CE1D1A0942FBE3A020
2900server.exeC:\Users\admin\AppData\Local\Temp\server.exeexecutable
MD5:0BF502B2EDC1737EBDD7E7396289F8E4
SHA256:C3982DDAE61372A11B21B1A44A3E8F158BD5F1B1497E03CE1D1A0942FBE3A020
3016tmpC74A.tmpC:\Users\admin\AppData\Local\Temp\tmpC74A.tmp.txttext
MD5:0D2C1D9BE2E728E03E9C0B7D856E9394
SHA256:D1802A1C8131800473A0B9BA78D8E797790EF03F9B593784CB12123F827B76E6
3268AbkoRAT_By_Kjh.exeC:\Users\admin\AppData\Local\Temp\_ght\GeoIP.datbinary
MD5:1F897B5825CF91799831862620911AFF
SHA256:5F85518CF71E7B53544E0BD0C1874D1F89A0D6DE7A6AD50683517575AAA56301
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
Process
Message
AbkoRAT_By_Kjh.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AbkoRAT_By_Kjh.exe