» rar.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

rar.exe

The executable rar.exe has been detected as malware by 29 anti-virus scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address m36.pkhyeu.men on port 855.

File name:

rar.exe

Version:

3, 3, 8, 1

MD5:

092fdd66a42232465952afb881e9685f

SHA-1:

5b1c3c4ed8d6fe55d6902b1c3a1c8540d2e5a8ed

SHA-256:

b4e759adfc10240b2fc6ad2b3cc3c1172aef61d2096b4ac9fcebba6940745c36

Scanner detections:

29 / 68

Status:

Malware

Analysis date:

4/26/2024 7:07:15 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.8919502

896

Avira AntiVirus

TR/Dropper.Gen

7.11.153.40

avast!

Win32:Downloader-TOU [Trj]

2014.9-140822

AVG

Generic7_c

2015.0.3374

Baidu Antivirus

Trojan.Win32.Autoit

4.0.3.14822

Bitdefender

Trojan.Generic.8919502

1.0.20.1170

Bkav FE

W32.Clodb94.Trojan

1.3.0.4959

Comodo Security

UnclassifiedMalware

18436

Dr.Web

Trojan.DownLoader4.56255

9.0.1.0234

Emsisoft Anti-Malware

Trojan.Generic.8919502

8.14.08.22.01

ESET NOD32

Win32/Spy.Zbot.YW

8.9893

Fortinet FortiGate

W32/Yakes.AAO!tr

8/22/2014

F-Prot

W32/AutoIt.AQ.gen

v6.4.7.1.166

F-Secure

Trojan.Generic.8919502

11.2014-22-08_6

G Data

Trojan.Generic.8919502

14.8.24

IKARUS anti.virus

Trojan-Dropper

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.1712305

Kaspersky

Trojan.Win32.Autoit

14.0.0.3367

McAfee

Artemis!092FDD66A422

5600.7030

MicroWorld eScan

Trojan.Generic.8919502

15.0.0.702

NANO AntiVirus

Trojan.Win32.Injector.bozkgs

0.28.0.60100

Norman

Troj_Generic.JSASX

11.20140822

nProtect

Trojan.Generic.8919502

14.06.04.01

Panda Antivirus

Trj/CI.A

14.08.22.01

Qihoo 360 Security

HEUR/Malware.QVM10.Gen

1.0.0.1015

Sophos

Troj/Autoit-SI

4.98

Trend Micro House Call

TROJ_SPNR.2BE513

7.2.234

Trend Micro

TROJ_SPNR.2BE513

10.465.22

VIPRE Antivirus

Trojan.Win32.Generic

29938

File size:

1.2 MB (1,267,434 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\rar.exe

File PE Metadata

Compilation timestamp:

1/29/2012 11:32:28 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:uRmJkcoQricOIQxiZY1iaCJuxcyC2UUqXdWQRs4/tJOQP9Yv2xUljoj:7JZoQrbTFZY1iaCJuiyzULd/vYgeoj

Entry address:

0x165C1

Entry point:

E8, 16, 90, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, 24, 97, 4A, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, DD, 03, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 40, 67, 41, 00, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03, C8... 
[+]

Entropy:

7.4868

Code size:

514 KB (526,336 bytes)

Windows Firewall Allowed Program

Name:

C:\users\{user}\appdata\roaming\rar.exe

The executing file has been seen to make the following network communication in live environments.

TCP:

Connects to m36.pkhyeu.men (94.73.33.36:855)

Remove rar.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.