File name:

Remote Utilities - Host.7z

Full analysis: https://app.any.run/tasks/da97789d-1c4f-42ea-b1a4-8a2579c42928
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 09, 2024, 07:37:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
rurat
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

B5ECBA37F0ECA06585FC55E242CD41C3

SHA1:

19BD8FC4942BB8C0BE6F3EDED4F61B55C9B9ADE5

SHA256:

E3EBE267D50CACC24D734DF4287E85AD4767B32697AAC3865702E95561715007

SSDEEP:

98304:Qjw3sKoXoyhXjoQ4EjQQLT2NYCeM0L5/JADJ7v5aO4tEr9W8MSBzP0Qx3c+QHo+j:94yB/g+xBXViwp8zvv4yt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3960)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3960)

    • The process drops C-runtime libraries

      • WinRAR.exe (PID: 3960)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3960)

    • Application launched itself

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2484)

    • Reads the date of Windows installation

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2040)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2244)

    • Connects to unusual port

      • rutserv.exe (PID: 2040)

    • Reads the Windows owner or organization settings

      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2764)

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3960)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3960)

    • Reads the machine GUID from the registry

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2040)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)
      • rutserv.exe (PID: 2484)

    • Process checks computer location settings

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2040)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)

    • Drops Remote Utils RAT executable file

      • WinRAR.exe (PID: 3960)

    • Reads Windows Product ID

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)
      • rutserv.exe (PID: 2040)

    • Reads Environment values

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2040)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)

    • Reads product name

      • rutserv.exe (PID: 2040)
      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)

    • Checks supported languages

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2040)
      • wmpnscfg.exe (PID: 1864)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)

    • Reads the computer name

      • rutserv.exe (PID: 752)
      • rutserv.exe (PID: 2040)
      • wmpnscfg.exe (PID: 1864)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2764)
      • rutserv.exe (PID: 2780)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1864)
      • rutserv.exe (PID: 2244)
      • rutserv.exe (PID: 1284)
      • rutserv.exe (PID: 2344)
      • rutserv.exe (PID: 1008)
      • rutserv.exe (PID: 2484)
      • rutserv.exe (PID: 2780)

    • Creates files or folders in the user directory

      • rutserv.exe (PID: 2040)

    • Reads CPU info

      • rutserv.exe (PID: 2272)
      • rutserv.exe (PID: 2764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
13
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe rutserv.exe no specs rutserv.exe rutserv.exe wmpnscfg.exe no specs rutserv.exe no specs rutserv.exe rutserv.exe rutserv.exe rutserv.exe no specs rutserv.exe rutserv.exe rutserv.exe

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\rutserv.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\rutserv.exe
WinRAR.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
HIGH
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3960.12121\remote utilities - host\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1008"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exeexplorer.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
MEDIUM
Description:
Remote Utilities - Host
Exit code:
3221226540
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
1284"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exeexplorer.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
MEDIUM
Description:
Remote Utilities - Host
Exit code:
3221226540
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
1864"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2040"C:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\rutserv.exe" -run_agent -secondC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\rutserv.exe
rutserv.exe
User:
SYSTEM
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
SYSTEM
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3960.12121\remote utilities - host\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2244"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exe
explorer.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
HIGH
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2272C:\Users\admin\Desktop\rutserv.exe -run_agent -secondC:\Users\admin\Desktop\rutserv.exe
rutserv.exe
User:
SYSTEM
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
SYSTEM
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2344"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exe
explorer.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
HIGH
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2484"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exe
explorer.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
HIGH
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2764C:\Users\admin\Desktop\rutserv.exe -run_agent -secondC:\Users\admin\Desktop\rutserv.exe
rutserv.exe
User:
SYSTEM
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
SYSTEM
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.2.1.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
20 394
Read events
20 332
Write events
62
Delete events
0

Modification events

(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3960) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Remote Utilities - Host.7z
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3960) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
40
Suspicious files
4
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x86\ntprint.inftxt
MD5:6476F7217D9D6372361B9E49D701FB99
SHA256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Logs\rut_log_2024-01.htmlhtml
MD5:A3F6F79CF352ED16EADC559A54CF8BDF
SHA256:E016ECD89A1726C35B678FFC6DF596CF4889A4B56D7C41A10AD7047D0B6265B3
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x64\printer.icoimage
MD5:6F70BD62A17EC5B677EC1129F594EE6F
SHA256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\common\rupd.lngtext
MD5:1614E6CDF119FD284D476F7E6723B3AD
SHA256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\eventmsg.dllexecutable
MD5:CA8A4346B37CDD0220792885C5937B30
SHA256:CCD5B9E5947F956E880BD2285A6091DC9F1EE9B0EB8DF627EC4E72B451A1C745
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x64\rupd.gpdtext
MD5:8EE7FD65170ED9BD408E0C821171B62A
SHA256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x86\rupd.gpdtext
MD5:8EE7FD65170ED9BD408E0C821171B62A
SHA256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x64\rupd.lngtext
MD5:1614E6CDF119FD284D476F7E6723B3AD
SHA256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x86\stdnames_vpd.gpdtext
MD5:7162D8977515A446D2C1E139DA59DED5
SHA256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
3960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3960.12121\Remote Utilities - Host\Printer\x86\rupd.initext
MD5:610DFCD7FF61B76DAAC9DDC3CDAA64A9
SHA256:7BA0ACE1E899C38CB5E8BF303868C0AB4B9890D536009CF21C958B114888DFA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2040
rutserv.exe
64.20.61.146:5655
id71.remoteutilities.com
IS-AS-1
US
unknown

DNS requests

Domain
IP
Reputation
id71.remoteutilities.com
  • 64.20.61.146
unknown

Threats

No threats detected
Process
Message
rutserv.exe
09-05-2024_08:38:40:880#T:Error #19 @2
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Remote Utilities - Host.7z