File name: | 7.rar |
Full analysis: | https://app.any.run/tasks/518e1432-c0c9-4442-871d-10d9986bcd42 |
Verdict: | Malicious activity |
Threats: | Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. |
Analysis date: | January 18, 2019, 08:03:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | ECE242390DBBDADF769265E531D5F2E7 |
SHA1: | 56AAD31148124336EAFAF29589C52952F277D2E5 |
SHA256: | C50D18E1D8DF244D764C92173B6E3AC996D078151E71AF7893B440C81CCBB2A0 |
SSDEEP: | 24576:NSUG7HKtphP3k4PUALDEqQL5X9fOCSMcqGWX1hs:7GGtpN3/bytX9fOvlpWX3s |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2728 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3040 | "C:\Users\admin\Desktop\AIO Netflix checker & gen.exe" | C:\Users\admin\Desktop\AIO Netflix checker & gen.exe | explorer.exe | |
User: admin Company: ҐіЗеУПфоРаЛАх ГqФиеQцзАРМспх Integrity Level: MEDIUM Description: ИККЙQЦФйбХФлССтДт ІХбАБКввНПГРВуеАБіс Exit code: 0 Version: 6.9.3.8 | ||||
2836 | "C:\Users\admin\AppData\Roaming\ПанҐ.exe" | C:\Users\admin\AppData\Roaming\ПанҐ.exe | — | AIO Netflix checker & gen.exe |
User: admin Company: ҐіЗеУПфоРаЛАх ГqФиеQцзАРМспх Integrity Level: MEDIUM Description: ИККЙQЦФйбХФлССтДт ІХбАБКввНПГРВуеАБіс Exit code: 0 Version: 6.9.3.8 | ||||
940 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | ПанҐ.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 1073807364 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
3844 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\7.rar | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (2728) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp |
PID | Process | Filename | Type | |
---|---|---|---|---|
2728 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2728.12181\AIO Netflix checker & gen.exe | — | |
MD5:— | SHA256:— | |||
3040 | AIO Netflix checker & gen.exe | C:\Users\admin\AppData\Roaming\ПанҐ.exe | executable | |
MD5:439FB49CB62C5E3F9A3709305D38507A | SHA256:A767AAF09B3BC03C88809142CF8C43339B074ADA943B05FDD228E2CF4F99A0D8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
940 | Regasm.exe | 104.128.234.104:1337 | — | VooServers Ltd | US | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |