Malware analysis Microsoft.rar Malicious activity | ANY.RUN

Add for printing

File name:	Microsoft.rar
Full analysis:	https://app.any.run/tasks/f616d13d-fd29-4fd4-b81d-6c1f8fcb8e10
Verdict:	Malicious activity
Threats:	FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	July 28, 2024, 13:57:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	fatalrat rat
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	7DFF176FE56E15BA87F208ABECAE8B98
SHA1:	A5A09BD8C7B40240D5F0C6E2E35D1DF9A3333381
SHA256:	BA98C5AD908EC2E49372B7062584DA5050DE8DA03966A971553BB804124710F3
SSDEEP:	98304:lPFA+JeIACLU0xD1UEArHzqLf9Dr5k+PgB9QJQtLB/xuZyQ5e+rKaq2QiQDuFnEi:bWar59

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 4092)
  - thelper.exe (PID: 1188)
- Connects to the CnC server
  - thelper.exe (PID: 6716)
- FATALRAT has been detected (SURICATA)
  - thelper.exe (PID: 6716)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 4092)
  - dllhost.exe (PID: 5700)
- Executes application which crashes
  - thelper.exe (PID: 6744)
- Executable content was dropped or overwritten
  - dllhost.exe (PID: 5700)
  - thelper.exe (PID: 1188)
- The process drops C-runtime libraries
  - dllhost.exe (PID: 5700)
- Reads security settings of Internet Explorer
  - thelper.exe (PID: 1188)
- Reads the date of Windows installation
  - thelper.exe (PID: 1188)
- Starts itself from another location
  - thelper.exe (PID: 1188)
- Contacting a server suspected of hosting an CnC
  - thelper.exe (PID: 6716)
- There is functionality for taking screenshot (YARA)
  - thelper.exe (PID: 6716)
INFO
- Reads the software policy settings
  - slui.exe (PID: 3848)
  - WerFault.exe (PID: 3112)
- Manual execution by a user
  - thelper.exe (PID: 6744)
  - thelper.exe (PID: 1188)
  - thelper.exe (PID: 6716)
  - thelper.exe (PID: 5452)
- Checks proxy server information
  - slui.exe (PID: 3848)
  - WerFault.exe (PID: 3112)
- Checks supported languages
  - thelper.exe (PID: 6744)
  - thelper.exe (PID: 1188)
  - thelper.exe (PID: 6716)
  - thelper.exe (PID: 5452)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 3112)
  - thelper.exe (PID: 1188)
  - thelper.exe (PID: 6716)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4092)
- Reads security settings of Internet Explorer
  - dllhost.exe (PID: 5700)
- Drops the executable file immediately after the start
  - dllhost.exe (PID: 5700)
- Reads the computer name
  - thelper.exe (PID: 1188)
  - thelper.exe (PID: 6716)
- Process checks computer location settings
  - thelper.exe (PID: 1188)
- Reads CPU info
  - thelper.exe (PID: 6716)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

162

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1188

"C:\ProgramData\Microsoft\MF\thelper.exe"

C:\ProgramData\Microsoft\MF\thelper.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

BrowserSupport Module

Exit code:

Version:

2, 0, 0, 88

Modules

Images
c:\programdata\microsoft\mf\thelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

3112

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6744 -s 612

C:\Windows\SysWOW64\WerFault.exe

thelper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3484

"C:\Users\admin\AppData\Local\thelper.exe"

C:\Users\admin\AppData\Local\thelper.exe

—

thelper.exe

User:

admin

Integrity Level:

MEDIUM

Description:

BrowserSupport Module

Exit code:

3222601730

Version:

2, 0, 0, 88

Modules

Images
c:\users\admin\appdata\local\thelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3848

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4092

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Microsoft.rar

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5452

"C:\Users\admin\Desktop\Microsoft\MF\thelper.exe"

C:\Users\admin\Desktop\Microsoft\MF\thelper.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

BrowserSupport Module

Exit code:

Version:

2, 0, 0, 88

Modules

Images
c:\users\admin\desktop\microsoft\mf\thelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

5700

C:\WINDOWS\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\System32\dllhost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

6716

"C:\ProgramData\Microsoft\MF\thelper.exe"

C:\ProgramData\Microsoft\MF\thelper.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

BrowserSupport Module

Version:

2, 0, 0, 88

Modules

Images
c:\programdata\microsoft\mf\thelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

6744

"C:\Users\admin\Desktop\Microsoft\MF\thelper.exe"

C:\Users\admin\Desktop\Microsoft\MF\thelper.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

BrowserSupport Module

Exit code:

3221225477

Version:

2, 0, 0, 88

Modules

Images
c:\users\admin\desktop\microsoft\mf\thelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

7036

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

13 431

Read events

13 393

Write events

Delete events

Modification events


(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Microsoft.rar
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(4092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\atl90.dll		executable
		MD5:338F1F7137860D3BF6094941AC2A9BA2	SHA256:5122E4A2E48E34326B6267D48BD007DA76A15243B90550EA565F1654CCC64877
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\Mi.jpg		image
		MD5:63FCD3B1AAC6D3FFA2C209A619623AC4	SHA256:7755A33AAD62E9468BB682B3504ED7ADAE2A387ADBC46DB60646A3ACD61E13DB
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\Microsoft.VC90.CRT.manifest		xml
		MD5:4F9ED5EFA4F7B75BCFE0F36C36EE5CB6	SHA256:FF718390133B400EE679177B2902BBB918DB148BBB4ABABA03D0A1DF325B3303
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\Microsoft.VC90.ATL.manifest		xml
		MD5:B41644A01C05740576B4E77662C7E86C	SHA256:A9A98FC7062262A47A1C0727339C760D18589B8549E4267762F7F4C88A103632
3112	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_thelper.exe_864a385f57fc334802531bd8ed15ad19e9a5b_9cbb98d1_5723dae3-770e-44c7-bb1b-68459c90ad7e\Report.wer		—
		MD5:—	SHA256:—
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\msvcp90.dll		executable
		MD5:6DE5C66E434A9C1729575763D891C6C2	SHA256:4F7ED27B532888CE72B96E52952073EAB2354160D1156924489054B7FA9B0B1A
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\msvcr90.dll		executable
		MD5:E7D91D008FE76423962B91C43C88E4EB	SHA256:ED0170D3DE86DA33E02BFA1605EEC8FF6010583481B1C530843867C1939D2185
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\ic.dll		executable
		MD5:1FCD1D41CD1D799989C4D9B1D7B7BE07	SHA256:8AC99C6716BD235986CAD57CC30602C9CB5F15685971B93C77A36E70DE5A3D44
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\mt.dll		executable
		MD5:F32C47D2B4A98595EF767D374922692D	SHA256:2CEDABD9E0B7749F97498E8A7FB39928CE9DE1ED5561515DB093D5CCB7E67901
4092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4092.38022\Microsoft\MF\libexpat.dll		executable
		MD5:5FF790879AAB8078884EAAC71AFFEB4A	SHA256:CCECA70F34BBCEC861A02C3700DE79EA17D80C0A7B9F33D7EDD1357A714E0F2F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4780	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4132	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6220	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	92.123.104.24:443	www.bing.com	Akamai International B.V.	DE	unknown
6012	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3992	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5804	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2668	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146 51.104.136.2	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	92.123.104.24 92.123.104.19 92.123.104.16 92.123.104.9 92.123.104.12 92.123.104.21 92.123.104.14 92.123.104.6 92.123.104.29 104.126.37.123 104.126.37.147 104.126.37.146 104.126.37.160 104.126.37.137 104.126.37.145 104.126.37.153 104.126.37.155 104.126.37.130	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
google.com	142.250.185.206	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.45	whitelisted
login.live.com	20.190.159.64 20.190.159.0 20.190.159.75 40.126.31.73 40.126.31.67 20.190.159.23 40.126.31.71 20.190.159.4	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted

Threats

PID	Process	Class	Message
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity
6716	thelper.exe	Malware Command and Control Activity Detected	ET MALWARE FatalRAT CnC Activity

Add for printing

Process	Message
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...
thelper.exe	SVP7-Thread running...

General Info

Microsoft.rar

7DFF176FE56E15BA87F208ABECAE8B98

A5A09BD8C7B40240D5F0C6E2E35D1DF9A3333381

BA98C5AD908EC2E49372B7062584DA5050DE8DA03966A971553BB804124710F3

98304:lPFA+JeIACLU0xD1UEArHzqLf9Dr5k+PgB9QJQtLB/xuZyQ5e+rKaq2QiQDuFnEi:bWar59

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Connects to the CnC server

FATALRAT has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Executes application which crashes

Executable content was dropped or overwritten

The process drops C-runtime libraries

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts itself from another location

Contacting a server suspected of hosting an CnC

There is functionality for taking screenshot (YARA)

INFO

Reads the software policy settings

Manual execution by a user

Checks proxy server information

Checks supported languages

Creates files or folders in the user directory

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Drops the executable file immediately after the start

Reads the computer name

Process checks computer location settings

Reads CPU info

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings