analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | njRAT_v0.7d_Danger_Edition.rar |
| Full analysis: | https://app.any.run/tasks/1e77afa9-84f3-49d4-aa6b-9808f12ab9e9 |
| Verdict: | Malicious activity |
| Analysis date: | February 06, 2022, 07:53:38 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v4, os: Win32 |
| MD5: | 8C48650F82E9C160966BE4D9D2F85D68 |
| SHA1: | 1BCB277A541F5A7420BCA4D9EE18859A8AFD6965 |
| SHA256: | 0572B75E548423C3B3FEB5BFBF3A84135D4B8EC8A736F5E83951107D3D7518A2 |
| SSDEEP: | 49152:GOrKFD5fs/BGK1HJJSlQSQcOZWDo/NwpaHUD0gaeS4er21WL6AeHLEwBNdbb:GOrKjfN0eROAyNAaQ0gze7LMLzBN1 |
MALICIOUS
Loads dropped or rewritten executable
- njRAT v0.7d Danger Edition.exe (PID: 2956)
- SearchProtocolHost.exe (PID: 3608)
Application was dropped or rewritten from another process
- njRAT v0.7d Danger Edition.exe (PID: 2956)
SUSPICIOUS
Reads the computer name
- WinRAR.exe (PID: 1380)
- njRAT v0.7d Danger Edition.exe (PID: 2956)
Checks supported languages
- WinRAR.exe (PID: 1380)
- njRAT v0.7d Danger Edition.exe (PID: 2956)
Reads Environment values
- njRAT v0.7d Danger Edition.exe (PID: 2956)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1380)
Drops a file that was compiled in debug mode
- WinRAR.exe (PID: 1380)
INFO
Manual execution by user
- njRAT v0.7d Danger Edition.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v-4.x) (58.3) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (41.6) |
EXIF
ZIP
| CompressedSize: | 1744 |
|---|---|
| UncompressedSize: | 8192 |
| OperatingSystem: | Win32 |
| ModifyDate: | 2017:04:01 19:30:20 |
| PackingMethod: | Normal |
| ArchivedFileName: | njRAT v0.7d Danger Edition\ar\NjRat 0.7D.resources.dll |
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1380 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\njRAT_v0.7d_Danger_Edition.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
| 3608 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
| 2956 | "C:\Users\admin\Desktop\njRAT v0.7d Danger Edition\njRAT v0.7d Danger Edition.exe" | C:\Users\admin\Desktop\njRAT v0.7d Danger Edition\njRAT v0.7d Danger Edition.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Description: Version: 1.0.0.0 | ||||
Total events
2 241
Read events
2 230
Write events
11
Delete events
0
Modification events
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\njRAT_v0.7d_Danger_Edition.rar | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
12
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\Plugin\cam.dll | executable | |
MD5:A73EDB60B80A2DFA86735D821BEA7B19 | SHA256:7A4977B024D048B71BCC8F1CC65FB06E4353821323F852DC6740B79B9AB75C98 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\Stub.manifest | xml | |
MD5:4D18AC38A92D15A64E2B80447B025B7E | SHA256:835A00D6E7C43DB49AE7B3FA12559F23C2920B7530F4D3F960FD285B42B1EFB5 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\Plugin\plg.dll | executable | |
MD5:0CBC2D9703FEEAD9783439E551C2B673 | SHA256:EA9ECF8723788FEEF6492BF938CDFAB1266A1558DFFE75E1F78A998320F96E39 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\UPX\mpress.exe | executable | |
MD5:8B632BFC3FE653A510CBA277C2D699D1 | SHA256:2852680C94A9D68CDAB285012D9328A1CECA290DB60C9E35155C2BB3E46A41B4 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\Plugin\pw.dll | executable | |
MD5:DB87DAF76C15F3808CEC149F639AA64F | SHA256:A3E4BEE1B6944AA9266BD58DE3F534A4C1896DF621881A5252A0D355A6E67C70 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\Plugin\ch.dll | executable | |
MD5:E747FA3339C1F138B6BFCE707B541D03 | SHA256:6E31148CC1B3235B71731C3944A7B06F861E104E978708D12C695EC09B5B3760 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\GeoIP.dat | binary | |
MD5:797B96CC417D0CDE72E5C25D0898E95E | SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\WinMM.Net.dll | executable | |
MD5:D4B80052C7B4093E10CE1F40CE74F707 | SHA256:59E2AC1B79840274BDFCEF412A10058654E42F4285D732D1487E65E60FFBFB46 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\Stub.il | text | |
MD5:A44214201961678560414699F7490E11 | SHA256:801CA2B0C3066566B386FAAFA14133D93E84BD876445EF343EFA2EC29C042902 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.18953\njRAT v0.7d Danger Edition\UPX\Stub.exe | executable | |
MD5:46D6DD6FFB10A5D8EB9CDCD85F713486 | SHA256:31EFD38C8E6451D661CB09964C14ECA69B4B702A10EDA40762F8F005A500ACA5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report