analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

887Rat-main.rar

Full analysis: https://app.any.run/tasks/9c6c3e0b-bd06-42c3-b229-42739d5f1fee
Verdict: Malicious activity
Analysis date: August 12, 2022, 15:36:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32, flags: RecoveryRecordPresent
MD5:

D7D11FB25A956C2DFC55B46A3B91940A

SHA1:

56A2C72BC1C0A38E3AD15FC34CF360BF93A76659

SHA256:

E27CC65C2A28268E8124719D88075AC9E22DB2A99120EDA1D700DB2519AF3C85

SSDEEP:

1572864:Sw2BUF2RxxB2B3EWbR2PG3yVqUSMglchm9yXnNEoNafYH1QChZ0/n6J:8B82RxbyELPGyaRLsXnNnNP1h2n6J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • crack.exe (PID: 1760)
      • 887Rat-main.exe (PID: 3132)
      • flagx.exe (PID: 3428)
      • Aut2exe.exe (PID: 2600)
      • AQACVJ.exe (PID: 372)
      • exe2msi.exe (PID: 2572)
      • Aut2exe.exe (PID: 1864)
      • PNCOMD.exe (PID: 3012)
      • crack.exe (PID: 892)

    • Drops executable file immediately after starts

      • 887Rat-main.exe (PID: 3132)
      • crack.exe (PID: 1760)
      • Aut2exe.exe (PID: 2600)
      • 887Rat.exe (PID: 3116)
      • AQACVJ.exe (PID: 372)
      • Aut2exe.exe (PID: 1864)

    • Writes to a start menu file

      • crack.exe (PID: 1760)

    • Loads dropped or rewritten executable

      • 887Rat.exe (PID: 3116)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3532)
      • crack.exe (PID: 1760)
      • 887Rat.exe (PID: 3116)
      • 887Rat-main.exe (PID: 3132)
      • WinRAR.exe (PID: 2248)
      • flagx.exe (PID: 3428)
      • Aut2exe.exe (PID: 2600)
      • AQACVJ.exe (PID: 372)
      • exe2msi.exe (PID: 2572)
      • Aut2exe.exe (PID: 1864)
      • PNCOMD.exe (PID: 3012)
      • crack.exe (PID: 892)

    • Reads the computer name

      • WinRAR.exe (PID: 3532)
      • 887Rat-main.exe (PID: 3132)
      • crack.exe (PID: 1760)
      • 887Rat.exe (PID: 3116)
      • flagx.exe (PID: 3428)
      • Aut2exe.exe (PID: 2600)
      • WinRAR.exe (PID: 2248)
      • AQACVJ.exe (PID: 372)
      • Aut2exe.exe (PID: 1864)
      • PNCOMD.exe (PID: 3012)
      • crack.exe (PID: 892)

    • Reads Microsoft Outlook installation path

      • 887Rat-main.exe (PID: 3132)

    • Executable content was dropped or overwritten

      • crack.exe (PID: 1760)
      • 887Rat-main.exe (PID: 3132)
      • Aut2exe.exe (PID: 2600)
      • 887Rat.exe (PID: 3116)
      • AQACVJ.exe (PID: 372)
      • Aut2exe.exe (PID: 1864)

    • Drops a file with a compile date too recent

      • crack.exe (PID: 1760)
      • 887Rat-main.exe (PID: 3132)
      • Aut2exe.exe (PID: 2600)
      • 887Rat.exe (PID: 3116)
      • AQACVJ.exe (PID: 372)
      • Aut2exe.exe (PID: 1864)

    • Reads internet explorer settings

      • 887Rat-main.exe (PID: 3132)

    • Reads mouse settings

      • 887Rat.exe (PID: 3116)
      • AQACVJ.exe (PID: 372)
      • PNCOMD.exe (PID: 3012)

  • INFO

    • Manual execution by user

      • 887Rat-main.exe (PID: 3132)
      • 887Rat.exe (PID: 3116)
      • WinRAR.exe (PID: 2248)
      • AQACVJ.exe (PID: 372)
      • PNCOMD.exe (PID: 3012)
      • crack.exe (PID: 892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 100450225
UncompressedSize: 100450172
OperatingSystem: Win32
ModifyDate: 2022:06:10 20:38:26
PackingMethod: Stored
ArchivedFileName: 887Rat-main\887Rat-main.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
12
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs 887rat-main.exe crack.exe 887rat.exe winrar.exe no specs flagx.exe no specs aut2exe.exe aqacvj.exe exe2msi.exe no specs aut2exe.exe pncomd.exe no specs crack.exe

Process information

PID
CMD
Path
Indicators
Parent process
3532"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\887Rat-main.rar"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3132"C:\Users\admin\Desktop\887Rat-main\887Rat-main.exe" C:\Users\admin\Desktop\887Rat-main\887Rat-main.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1760"C:\Users\admin\Desktop\887Rat-main\crack.exe" C:\Users\admin\Desktop\887Rat-main\crack.exe
887Rat-main.exe
User:
admin
Integrity Level:
MEDIUM
3116"C:\Users\admin\Desktop\887Rat-main\887Rat.exe" C:\Users\admin\Desktop\887Rat-main\887Rat.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
2248"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\887Rat-main\887Rat-main.exe" C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3428"C:\Users\admin\AppData\Local\Temp\flagx.exe" C:\Users\admin\AppData\Local\Temp\flagx.exe887Rat.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2600C:\Users\admin\AppData\Local\Temp\Aut2exe.exe /in C:\Users\admin\AppData\Local\Temp/QDZPLS /out C:\Users\admin\AppData\Local\Temp/AQACVJ.exe /icon C:\Users\admin\AppData\Local\Temp\ssc.ico /comp 2 /nopack /UnicodeC:\Users\admin\AppData\Local\Temp\Aut2exe.exe
887Rat.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
Aut2Exe
Exit code:
0
Version:
3, 3, 8, 1
372"C:\Users\admin\Desktop\887Rat-main\AQACVJ.exe" C:\Users\admin\Desktop\887Rat-main\AQACVJ.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
2572"C:\Users\admin\AppData\Local\Temp\exe2msi.exe" C:\Users\admin\AppData\Local\Temp\exe2msi.exe887Rat.exe
User:
admin
Company:
APREL Technologies
Integrity Level:
MEDIUM
Description:
Exe to MSI Conveter
Exit code:
0
Version:
2.0
1864C:\Users\admin\AppData\Local\Temp\Aut2exe.exe /in C:\Users\admin\AppData\Local\Temp/AVNLUS /out C:\Users\admin\AppData\Local\Temp/PNCOMD.exe /icon C:\Users\admin\AppData\Local\Temp\ssc.ico /comp 2 /nopack /UnicodeC:\Users\admin\AppData\Local\Temp\Aut2exe.exe
887Rat.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
Aut2Exe
Exit code:
0
Version:
3, 3, 8, 1
Total events
5 411
Read events
5 347
Write events
64
Delete events
0

Modification events

(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3532) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\887Rat-main.rar
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
26
Suspicious files
160
Text files
405
Unknown types
7

Dropped files

PID
Process
Filename
Type
3532WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3532.33003\887Rat-main\887Rat-main.exe
MD5:
SHA256:
3132887Rat-main.exeC:\Users\admin\Desktop\887Rat-main\887Rat.exe
MD5:
SHA256:
3116887Rat.exeC:\Users\admin\AppData\Local\Temp\aut8E32.tmp
MD5:
SHA256:
3116887Rat.exeC:\Users\admin\AppData\Local\Temp\ziwbnfi
MD5:
SHA256:
3132887Rat-main.exeC:\Users\admin\Desktop\887Rat-main\learn all kind of hacking.urlurl
MD5:7ADE4A739CBD8F44D0EF52A2F1BC6E7B
SHA256:CC7649ED53C65E4851ACE414529564FE16801BB2BED4CB15588BFD6B4AC13616
3132887Rat-main.exeC:\Users\admin\Desktop\887Rat-main\crack.exeexecutable
MD5:A0A22BA1E62B67B91905665B86DF33B3
SHA256:E3CB33466BED760B23A24BD723B68CCB5DA82EE350793F4CDE7AA5AD53541B94
1760crack.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exeexecutable
MD5:A0A22BA1E62B67B91905665B86DF33B3
SHA256:E3CB33466BED760B23A24BD723B68CCB5DA82EE350793F4CDE7AA5AD53541B94
3116887Rat.exeC:\Users\admin\AppData\Local\Temp\skin.888All.msstylesexecutable
MD5:060779CE2FDB52BFB9E7463704852D29
SHA256:1BD90D1C7FF94B4EC5369A9F94E446F96566A6286ADEDE460584FD247B7BD540
3116887Rat.exeC:\Users\admin\AppData\Local\Temp\autA8E2.tmpbinary
MD5:D2A0137EE5358F3C358E5B5BB1B6684A
SHA256:D916475C069333FD191310CBDEE5AAA48C0EAAFE1827560BE54829953F8B58E3
3116887Rat.exeC:\Users\admin\AppData\Local\Temp\autA806.tmpbinary
MD5:6EEC45C48DE3F0E556D4728AB92BA277
SHA256:45333F3C290C0423B7B2D7DCF14D0EA3B93443322D96879AD61A5BBB0C0D3F69
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
887Rat-main.rar