File name:

SMTP Cracker V3.2.exe

Full analysis: https://app.any.run/tasks/5464ffea-34b8-4795-8527-915f2dc76a17
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: February 09, 2024, 22:28:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

7B7E33919ABAAC7C2230A24F5175B61A

SHA1:

616A224925F0577ED900137CF0635D454B0D0C66

SHA256:

058593C2A0B2E3E38F420613659E72C86219F37F78A4C1F907DDF507257A70B1

SSDEEP:

98304:sLpheNx6zan2Gi49PGY96UCZwc7nftkti7DawJcwI8ymAFL1EEnIq5miA3AVrLfK:qELBRer6A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SMTP Cracker V3.2.exe (PID: 3772)
      • rundll.exe (PID: 1776)

    • NjRAT is detected

      • rundll.exe (PID: 1776)

    • Create files in the Startup directory

      • rundll.exe (PID: 1776)

    • Changes the autorun value in the registry

      • rundll.exe (PID: 1776)

    • NJRAT has been detected (SURICATA)

      • rundll.exe (PID: 1776)

    • Connects to the CnC server

      • rundll.exe (PID: 1776)

    • NJRAT has been detected (YARA)

      • rundll.exe (PID: 1776)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SMTP Cracker V3.2.exe (PID: 3772)

    • Executable content was dropped or overwritten

      • SMTP Cracker V3.2.exe (PID: 3772)
      • rundll.exe (PID: 1776)

    • Reads the Internet Settings

      • SMTP Cracker V3.2.exe (PID: 3772)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • rundll.exe (PID: 1776)

    • Connects to unusual port

      • rundll.exe (PID: 1776)

  • INFO

    • Reads the computer name

      • SMTP Cracker V3.2.exe (PID: 3772)
      • rundll.exe (PID: 1776)

    • Checks supported languages

      • SMTP Cracker V3.2.exe (PID: 3772)
      • rundll.exe (PID: 1776)

    • Create files in a temporary directory

      • SMTP Cracker V3.2.exe (PID: 3772)

    • Creates files or folders in the user directory

      • rundll.exe (PID: 1776)

    • Reads the machine GUID from the registry

      • rundll.exe (PID: 1776)

    • Reads Environment values

      • rundll.exe (PID: 1776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(1776) rundll.exe
C2anajit.hopto.org
Ports1177
BotnetGroupe
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\afc36350fc89b7b03a13fd5d08886385
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:27 05:38:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x310d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start smtp cracker v3.2.exe #NJRAT rundll.exe netsh.exe no specs smtp cracker v3.2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1776"C:\Users\admin\AppData\Local\Temp\rundll.exe" C:\Users\admin\AppData\Local\Temp\rundll.exe
SMTP Cracker V3.2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rundll.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
NjRat
(PID) Process(1776) rundll.exe
C2anajit.hopto.org
Ports1177
BotnetGroupe
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\afc36350fc89b7b03a13fd5d08886385
Splitter|'|'|
Version0.7d
3668"C:\Users\admin\AppData\Local\Temp\SMTP Cracker V3.2.exe" C:\Users\admin\AppData\Local\Temp\SMTP Cracker V3.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\smtp cracker v3.2.exe
c:\windows\system32\ntdll.dll
3772"C:\Users\admin\AppData\Local\Temp\SMTP Cracker V3.2.exe" C:\Users\admin\AppData\Local\Temp\SMTP Cracker V3.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\smtp cracker v3.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3932netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\rundll.exe" "rundll.exe" ENABLEC:\Windows\System32\netsh.exerundll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
Total events
3 765
Read events
3 669
Write events
96
Delete events
0

Modification events

(PID) Process:(3772) SMTP Cracker V3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3772) SMTP Cracker V3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3772) SMTP Cracker V3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3772) SMTP Cracker V3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1776) rundll.exeKey:HKEY_CURRENT_USER
Operation:writeName:di
Value:
!
(PID) Process:(1776) rundll.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(3932) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3932) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-100
Value:
DHCP Quarantine Enforcement Client
(PID) Process:(3932) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-101
Value:
Provides DHCP based enforcement for NAP
(PID) Process:(3932) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-103
Value:
1.0
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3772SMTP Cracker V3.2.exeC:\Users\admin\AppData\Local\Temp\rundll.exeexecutable
MD5:3173FFCF9D577267E409D9C98ACF866D
SHA256:2C51248F0C354DD3C3FFAB0AD684E612857475D8FBBE043C2E24BA0392F354AF
1776rundll.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\afc36350fc89b7b03a13fd5d08886385.exeexecutable
MD5:3173FFCF9D577267E409D9C98ACF866D
SHA256:2C51248F0C354DD3C3FFAB0AD684E612857475D8FBBE043C2E24BA0392F354AF
3772SMTP Cracker V3.2.exeC:\Users\admin\AppData\Local\Temp\SMTP Cracker V4.exeexecutable
MD5:81AABCC46CE7B6F11BB603020AA0B6A6
SHA256:3B9F4A6C4C47AC8B8DE82C05F2506AF223F873BAFAF8EB5F07C7F9E99634626A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
7

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1776
rundll.exe
41.142.26.106:1177
anajit.hopto.org
MT-MPLS
MA
unknown

DNS requests

Domain
IP
Reputation
anajit.hopto.org
  • 41.142.26.106
malicious

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
1776
rundll.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SMTP Cracker V3.2.exe