analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7.rar

Full analysis: https://app.any.run/tasks/518e1432-c0c9-4442-871d-10d9986bcd42
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Analysis date: January 18, 2019, 08:03:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
orcus
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

ECE242390DBBDADF769265E531D5F2E7

SHA1:

56AAD31148124336EAFAF29589C52952F277D2E5

SHA256:

C50D18E1D8DF244D764C92173B6E3AC996D078151E71AF7893B440C81CCBB2A0

SSDEEP:

24576:NSUG7HKtphP3k4PUALDEqQL5X9fOCSMcqGWX1hs:7GGtpN3/bytX9fOvlpWX3s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AIO Netflix checker & gen.exe (PID: 3040)
      • ПанҐ.exe (PID: 2836)
    • Orcus was detected

      • Regasm.exe (PID: 940)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AIO Netflix checker & gen.exe (PID: 3040)
    • Creates files in the user directory

      • AIO Netflix checker & gen.exe (PID: 3040)
    • Connects to unusual port

      • Regasm.exe (PID: 940)
    • Starts itself from another location

      • AIO Netflix checker & gen.exe (PID: 3040)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs aio netflix checker & gen.exe панґ.exe no specs #ORCUS regasm.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2728"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3040"C:\Users\admin\Desktop\AIO Netflix checker & gen.exe" C:\Users\admin\Desktop\AIO Netflix checker & gen.exe
explorer.exe
User:
admin
Company:
ҐіЗеУПфоРаЛАх ГqФиеQцзАРМспх
Integrity Level:
MEDIUM
Description:
ИККЙQЦФйбХФлССтДт ІХбАБКввНПГРВуеАБіс
Exit code:
0
Version:
6.9.3.8
2836"C:\Users\admin\AppData\Roaming\ПанҐ.exe" C:\Users\admin\AppData\Roaming\ПанҐ.exeAIO Netflix checker & gen.exe
User:
admin
Company:
ҐіЗеУПфоРаЛАх ГqФиеQцзАРМспх
Integrity Level:
MEDIUM
Description:
ИККЙQЦФйбХФлССтДт ІХбАБКввНПГРВуеАБіс
Exit code:
0
Version:
6.9.3.8
940"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
ПанҐ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
1073807364
Version:
4.6.1055.0 built by: NETFXREL2
3844"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
840
Read events
816
Write events
24
Delete events
0

Modification events

(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2728) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\7.rar
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2728WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2728.12181\AIO Netflix checker & gen.exe
MD5:
SHA256:
3040AIO Netflix checker & gen.exeC:\Users\admin\AppData\Roaming\ПанҐ.exeexecutable
MD5:439FB49CB62C5E3F9A3709305D38507A
SHA256:A767AAF09B3BC03C88809142CF8C43339B074ADA943B05FDD228E2CF4F99A0D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
940
Regasm.exe
104.128.234.104:1337
VooServers Ltd
US
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info