File name: | _Cracked_Streambot_2.rar |
Full analysis: | https://app.any.run/tasks/5c4937ea-a0b8-49c4-aa57-52c658c93b79 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | May 15, 2019, 18:29:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | C98AAE43EC84FADC9EAC5EBC0CD7A1B2 |
SHA1: | FCD63318B9146484A521D9AFC0AFC0AE17F13D18 |
SHA256: | 141FB3AB10523E8624E5736218F9A6B7A8CD1FFB3862444F491D5792FA6D3142 |
SSDEEP: | 196608:R9itwJNPwD7qM2KFJUycFd+o+zOwAd+jDoWRJO4Zvj57UIG+uMNZkyzf29F0Hl:uiJNYy4C/Fd+ond47nOc9UIG+DZ/29Fg |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3348 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_Cracked_Streambot_2.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3856 | "C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe" | C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3652 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | Streambot 2.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1716 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | Streambot 2.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3660 | "C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe" | C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH | ||||
3384 | "C:\Users\admin\AppData\Local\Temp\streambot2.exe" | C:\Users\admin\AppData\Local\Temp\streambot2.exe | — | Streambot 2.exe |
User: admin Company: Shadiku Izayoi, Emma Skye <neosyndicate.net> Integrity Level: HIGH Description: streambot² Exit code: 3221225781 Version: 2.5.0.0 | ||||
3732 | "C:\Users\admin\AppData\Local\Temp\Protectedcy.exe" | C:\Users\admin\AppData\Local\Temp\Protectedcy.exe | Streambot 2.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
1696 | "C:\Users\admin\AppData\Local\Temp\Protectedin.exe" | C:\Users\admin\AppData\Local\Temp\Protectedin.exe | Streambot 2.exe | |
User: admin Integrity Level: HIGH | ||||
3352 | "C:\Users\admin\AppData\Local\Temp\Protectednj.exe" | C:\Users\admin\AppData\Local\Temp\Protectednj.exe | Streambot 2.exe | |
User: admin Integrity Level: HIGH | ||||
572 | "C:\Users\admin\AppData\Local\Temp\Protectedwo.exe" | C:\Users\admin\AppData\Local\Temp\Protectedwo.exe | Streambot 2.exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap14.dat | image | |
MD5:58724CE63DFB037C86EE19358FC20157 | SHA256:D4D9BE6BFBAAF7B4215D149907182B8D92137628E0369986D07E8E27006817E8 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap12.dat | image | |
MD5:D8D7A1347773A2F1BF652174075C6BC3 | SHA256:4D19EEFAA357F7EAC71FA28EB55AAD26627716B6ABE6F0361C4948E69E7ECB62 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap10.dat | image | |
MD5:15FEC6C33A20A6ECB295FA55514781E7 | SHA256:E238521A1915A0C488D87FA0068D03135BA2D806268F58E973B858195975B20D | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap21.dat | image | |
MD5:83E5EEF02E173AC3EFD8CA49609EC5E3 | SHA256:87249BFB103A8FDE22FE5C6C77CB990E36AE31FBFF8A5FF8361F99199B0F79F4 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap23.dat | image | |
MD5:FA9AAF285BAD435122001B162B72F0B8 | SHA256:A6637FBCDEB5EA08A7297E2B50CA5EAA9039E99AD1B84A780007B3B34022E016 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap19.dat | image | |
MD5:42BC9A74D40E97E194DA9EB07C8304D1 | SHA256:FEF73F3330FEEBF6591FCF11E695370D98CED4342F25EE0D6984BC6BD031346D | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap20.dat | image | |
MD5:694B28725867A2C893A2535CA310ACB8 | SHA256:475FE9452812C91BCD7208687DE014419FDC0C77FE29747FD18DDA3EADACAEA8 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap15.dat | image | |
MD5:9739753453EC79E41C49500DDA06D0C9 | SHA256:56407243DFEA14F0A42D5CD7E0D7CE3D3D828C83AB3C1A70FC3E09056E99D110 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap18.dat | image | |
MD5:9073D4D6CB37AB39CAA44CFF241182EE | SHA256:19105802E9202F5070919D1326732BE8E8B0D0EF0B9E7DD11AA6BF7DD43042D3 | |||
3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1376\[Cracked]Streambot 2\V\includes\dat01\ap13.dat | image | |
MD5:636121997F8139FA039DA7EAA207C23F | SHA256:7F7E0C0BAA8EDB2035D7108ED7760C7F26D80205CB6CA2609904E5B8F69BE6F1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1492 | SDVGJHKHC.exe | 83.49.248.1:2222 | pooleu.xmrminingpool.net | Telefonica De Espana | ES | unknown |
3304 | ZVKQHTPNL.exe | 83.49.248.1:2222 | pooleu.xmrminingpool.net | Telefonica De Espana | ES | unknown |
1012 | RegSvcs.exe | 192.69.169.25:9003 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
1332 | RegAsm.exe | 192.69.169.25:5553 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
3892 | Protectedcy.exe | 192.69.169.25:1552 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
3892 | Protectedcy.exe | 192.69.169.25:1978 | todoaqui.duckdns.org | ATLINK SERVICES, LLC | US | malicious |
— | — | 83.49.248.1:2222 | pooleu.xmrminingpool.net | Telefonica De Espana | ES | unknown |
Domain | IP | Reputation |
---|---|---|
pooleu.xmrminingpool.net |
| malicious |
dns.msftncsi.com |
| shared |
Chrome.mywire.org |
| malicious |
wuap.hopto.org |
| malicious |
todoaqui.duckdns.org |
| malicious |
malwaresbytes.duckdns.org |
| malicious |
Opera.mywire.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |