Does anyone know if these two files are considered malware? I see a lot of things in the behavior tab that seem suspicious (but then again, I have no idea, and am relatively new/dumb).
Here are the images of the virustotal results I am referring to:
Also, I did see there was an noticeable slowness to my pc after I extracted the rar files (I was in a VM).
Thank you.
TLDR: I can’t say for 100% sure, but there are multiple reasons to believe that this is malware.
Long version: I’m seeing multiple suspicious things here.
-
The IPs being connected to are part of some hoster and have some abuse reports: https://www.abuseipdb.com/check-block/217.20.58.98/29
-
The domain being resolved is qcloud[.]com, which belongs to Tencent Cloud and definitely not Microsoft.
-
Other domains in memory like counter-strike[.]com[.]ua are very new and definitely sound fishy.
-
A standalone version of 7zip is being run and extracts the created rar file with the password “infected”. Real alarm bells here.
-
A lot of the registry actions look like anti-debugging, which does not sound like something an Illustrator Plugin would do.
-
Malware or not, remember to update WinRAR
https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/
There are some suspicious things going on like the qcloud and counter-strike domains, as well as the 7zip extract being run.
I would probably get rid of it.
I installed 7zip if that made it appear (not sure if it is the case though) Yeah I may have to just pay for subscriptions with money I can’t afford :S
I suppose you can probably do most things without the plugins too, just more time intensive
Unlikely for the rar file itself. The exe seems a little suspicious, so I would scan that file individually. Hard to say without unpacking and examining it.
Should I have scanned the extracted folders rather than the rar file itself? (even though it shows network communications and mitre signatures?)
I ran an antivirus outside the VM and nothing was detected luckily. (I had already extracted the rar files, but just scanned the rar itself)
Yes, scan the potential malware directly (exe, dll files). Not all scanners support extracting archives.
No it’s fine, clearly it did extract the rar file and run everything.
