| File name: | _Cracked_Streambot_2.rar |
| Full analysis: | https://app.any.run/tasks/5c4937ea-a0b8-49c4-aa57-52c658c93b79 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | May 15, 2019, 18:29:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | C98AAE43EC84FADC9EAC5EBC0CD7A1B2 |
| SHA1: | FCD63318B9146484A521D9AFC0AFC0AE17F13D18 |
| SHA256: | 141FB3AB10523E8624E5736218F9A6B7A8CD1FFB3862444F491D5792FA6D3142 |
| SSDEEP: | 196608:R9itwJNPwD7qM2KFJUycFd+o+zOwAd+jDoWRJO4Zvj57UIG+uMNZkyzf29F0Hl:uiJNYy4C/Fd+ond47nOc9UIG+DZ/29Fg |
MALICIOUS
Known privilege escalation attack
- Streambot 2.exe (PID: 3856)
Application was dropped or rewritten from another process
- streambot2.exe (PID: 3384)
- Protectedcy.exe (PID: 3732)
- 22.exe (PID: 2344)
- Protectednj.exe (PID: 3352)
- Protectedin.exe (PID: 1696)
- Protectedwo.exe (PID: 3872)
- ZVKQHTPNL.exe (PID: 3304)
- Protectedwo.exe (PID: 572)
- Protectedwo.exe (PID: 3472)
- Protectedwo.exe (PID: 2192)
- Protectedwo.exe (PID: 3568)
- Protectedwo.exe (PID: 2956)
- Protectedwo.exe (PID: 1012)
- 2222.sfx.exe (PID: 3136)
- 2222.exe (PID: 3652)
- SDVGJHKHC.exe (PID: 1492)
- Protectedcy.exe (PID: 1212)
- Protectedcy.exe (PID: 3892)
- Streambot 2.exe (PID: 3856)
- vgdsikgkkebi.exe (PID: 1104)
- avfpdwwevrto.exe (PID: 772)
- orrqrpcsgwbz.exe (PID: 2412)
- SystemProcess.exe (PID: 3452)
- skecatbucrom.exe (PID: 2556)
- skecatbucrom.exe (PID: 3724)
- skecatbucrom.exe (PID: 1748)
- skecatbucrom.exe (PID: 2224)
- skecatbucrom.exe (PID: 1640)
- Streambot 2.exe (PID: 3660)
- Protectedcy.exe (PID: 736)
- kgedvkmaodrl.exe (PID: 2784)
- skecatbucrom.exe (PID: 2616)
- Protectedcy.exe (PID: 2432)
- skecatbucrom.exe (PID: 3412)
Uses Task Scheduler to run other applications
- Protectedwo.exe (PID: 572)
- 22.exe (PID: 2344)
- 2222.exe (PID: 3652)
- Protectedcy.exe (PID: 3732)
- Protectedin.exe (PID: 1696)
- Streambot 2.exe (PID: 3660)
- Protectednj.exe (PID: 3352)
- skecatbucrom.exe (PID: 2616)
- Protectedcy.exe (PID: 736)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 2540)
- schtasks.exe (PID: 3496)
- schtasks.exe (PID: 2844)
- schtasks.exe (PID: 868)
- schtasks.exe (PID: 944)
- schtasks.exe (PID: 3164)
- schtasks.exe (PID: 488)
- schtasks.exe (PID: 2256)
- schtasks.exe (PID: 2468)
- schtasks.exe (PID: 3396)
- schtasks.exe (PID: 776)
Changes the autorun value in the registry
- 22.exe (PID: 2344)
- 2222.exe (PID: 3652)
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 2920)
Detected Imminent RAT
- RegSvcs.exe (PID: 1012)
NJRAT was detected
- RegAsm.exe (PID: 1332)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3348)
- 2222.sfx.exe (PID: 3136)
- Streambot 2.exe (PID: 3660)
- Protectedwo.exe (PID: 572)
- 22.exe (PID: 2344)
- 2222.exe (PID: 3652)
- Protectedcy.exe (PID: 3732)
- Protectedin.exe (PID: 1696)
- Protectednj.exe (PID: 3352)
Modifies the open verb of a shell class
- Streambot 2.exe (PID: 3856)
Application launched itself
- Protectedwo.exe (PID: 572)
- Protectedcy.exe (PID: 3732)
- Protectedcy.exe (PID: 1212)
- skecatbucrom.exe (PID: 2616)
- Protectedcy.exe (PID: 3892)
- Protectedcy.exe (PID: 736)
Creates files in the user directory
- Protectedcy.exe (PID: 3732)
- Protectednj.exe (PID: 3352)
- RegSvcs.exe (PID: 1012)
- Protectedcy.exe (PID: 3892)
Uses NETSH.EXE for network configuration
- RegAsm.exe (PID: 1332)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
120
Monitored processes
67
Malicious processes
14
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 480 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | Streambot 2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) Modules
| |||||||||||||||
| 488 | "C:\Windows\System32\schtasks.exe" /create /tn 64726F72657674646B76657A /tr "C:\Users\admin\vifvmlpqaqjf\kgedvkmaodrl.exe" /sc minute /mo 1 /F | C:\Windows\System32\schtasks.exe | — | Streambot 2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 572 | "C:\Users\admin\AppData\Local\Temp\Protectedwo.exe" | C:\Users\admin\AppData\Local\Temp\Protectedwo.exe | Streambot 2.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 736 | "C:\Users\admin\AppData\Local\Temp\Protectedcy.exe" | C:\Users\admin\AppData\Local\Temp\Protectedcy.exe | — | Protectedcy.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 772 | C:\Users\admin\AppData\Roaming\kdqyicnifumh\avfpdwwevrto.exe | C:\Users\admin\AppData\Roaming\kdqyicnifumh\avfpdwwevrto.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 776 | "C:\Windows\System32\schtasks.exe" /create /tn 707A766E636B73687A646668 /tr "C:\Users\admin\AppData\Roaming\kdqyicnifumh\avfpdwwevrto.exe" /sc minute /mo 1 /F | C:\Windows\System32\schtasks.exe | — | Protectedcy.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 868 | schtasks.exe /create /tn VNBZOAYJFDRA /tr C:\Users\admin\AppData\Local\GKULWJXZKHORQKT\SystemProcess.exe /sc onidle /i 1 | C:\Windows\system32\schtasks.exe | — | 2222.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 908 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | Streambot 2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) Modules
| |||||||||||||||
| 944 | schtasks.exe /create /tn VNBZOAYJFDRA /tr C:\Users\admin\AppData\Local\GKULWJXZKHORQKT\SystemProcess.exe /sc minute /mo 1 | C:\Windows\system32\schtasks.exe | — | 2222.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1012 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Protectedin.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 Modules
| |||||||||||||||
Total events
2 761
Read events
2 620
Write events
141
Delete events
0
Modification events
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\_Cracked_Streambot_2.rar | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2920) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2920) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document | |||
Executable files
27
Suspicious files
8
Text files
387
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\curl.exe | executable | |
MD5:B22281F1DD04E1D09643E437AAEEE065 | SHA256:83D1FDB808BD681100DD946A7CFB2D7AB39ED1553D71261DFEA30B727D786F00 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap27.dat | image | |
MD5:A9BF84458AC8543C6FA09A24A669B88D | SHA256:E795A59234C8935964EBF74C762F7BE09ADC7B6B74DD47F982B58D7FBAE52516 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap19.dat | image | |
MD5:42BC9A74D40E97E194DA9EB07C8304D1 | SHA256:FEF73F3330FEEBF6591FCF11E695370D98CED4342F25EE0D6984BC6BD031346D | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap11.dat | compressed | |
MD5:EEB4B272A3C00AB96E0D854BDF67BB9A | SHA256:BC42AC736F96D0CD124FDA4933B83B64C7DA3E8DC4C764D87215D2F332B8B280 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap1.dat | text | |
MD5:38DE427224A5082A04FE82E2BD4EA9EC | SHA256:12F99F53144294750FE8713D580EDA286F4BD95CD9C840DB8AB957DEF8040028 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap10.dat | image | |
MD5:15FEC6C33A20A6ECB295FA55514781E7 | SHA256:E238521A1915A0C488D87FA0068D03135BA2D806268F58E973B858195975B20D | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap12.dat | image | |
MD5:D8D7A1347773A2F1BF652174075C6BC3 | SHA256:4D19EEFAA357F7EAC71FA28EB55AAD26627716B6ABE6F0361C4948E69E7ECB62 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap13.dat | image | |
MD5:636121997F8139FA039DA7EAA207C23F | SHA256:7F7E0C0BAA8EDB2035D7108ED7760C7F26D80205CB6CA2609904E5B8F69BE6F1 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap15.dat | image | |
MD5:9739753453EC79E41C49500DDA06D0C9 | SHA256:56407243DFEA14F0A42D5CD7E0D7CE3D3D828C83AB3C1A70FC3E09056E99D110 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap20.dat | image | |
MD5:694B28725867A2C893A2535CA310ACB8 | SHA256:475FE9452812C91BCD7208687DE014419FDC0C77FE29747FD18DDA3EADACAEA8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
31
DNS requests
11
Threats
4
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1492 | SDVGJHKHC.exe | 83.49.248.1:2222 | pooleu.xmrminingpool.net | Telefonica De Espana | ES | unknown |
3304 | ZVKQHTPNL.exe | 83.49.248.1:2222 | pooleu.xmrminingpool.net | Telefonica De Espana | ES | unknown |
1012 | RegSvcs.exe | 192.69.169.25:9003 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
1332 | RegAsm.exe | 192.69.169.25:5553 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
3892 | Protectedcy.exe | 192.69.169.25:1552 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
3892 | Protectedcy.exe | 192.69.169.25:1978 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
— | — | 83.49.248.1:2222 | pooleu.xmrminingpool.net | Telefonica De Espana | ES | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pooleu.xmrminingpool.net |
| malicious |
dns.msftncsi.com |
| shared |
Chrome.mywire.org |
| malicious |
wuap.hopto.org |
| malicious |
todoaqui.duckdns.org |
| malicious |
malwaresbytes.duckdns.org |
| malicious |
Opera.mywire.org |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1068 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1068 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1068 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1068 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |