analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Archive-ff4f.zip

Full analysis: https://app.any.run/tasks/ea2fef6e-c6ca-4a59-abad-26650808211a
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 03:25:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

74261928907B7D780B8E61112D367D05

SHA1:

1927A73A3645C72C72DD25859F172ED628B3B2A8

SHA256:

17DBD865D9D346FD8FC2855309D88CD638CE3669A01759E90F611DD0490AA555

SSDEEP:

3072:1/tgZDDja2Smhp0acbccHvD3RI3bJr6YDxd4Uo/9gZDDjaG/pglDDjHn9:1/qDDj/V8KxDxd4Uo/aDDjP/CDDjd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Lammer.exe (PID: 924)
      • Synapse Cracked.exe (PID: 584)
      • Synapse Cracked.exe (PID: 2108)
      • Synapse X Remake Beta Release.exe (PID: 2132)
      • System.exe (PID: 3700)

    • Changes settings of System certificates

      • Synapse X Remake Beta Release.exe (PID: 2132)

    • NJRAT was detected

      • System.exe (PID: 3700)

    • Changes the autorun value in the registry

      • System.exe (PID: 3700)

    • Writes to a start menu file

      • System.exe (PID: 3700)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2192)
      • Synapse Cracked.exe (PID: 2108)
      • Lammer.exe (PID: 924)
      • System.exe (PID: 3700)

    • Starts itself from another location

      • Lammer.exe (PID: 924)

    • Reads Environment values

      • Synapse X Remake Beta Release.exe (PID: 2132)

    • Adds / modifies Windows certificates

      • Synapse X Remake Beta Release.exe (PID: 2132)

    • Uses NETSH.EXE for network configuration

      • System.exe (PID: 3700)

    • Creates files in the user directory

      • System.exe (PID: 3700)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: None
ZipModifyDate: 2020:10:18 21:45:20
ZipCRC: 0x8a7bbefb
ZipCompressedSize: 459881
ZipUncompressedSize: 459881
ZipFileName: Synapse Cracked.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start winrar.exe synapse cracked.exe no specs synapse cracked.exe lammer.exe synapse x remake beta release.exe #NJRAT system.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Archive-ff4f.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
584"C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.16258\Synapse Cracked.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.16258\Synapse Cracked.exeWinRAR.exe
User:
admin
Company:
Java@Registred
Integrity Level:
MEDIUM
Description:
JavaUpadate.exe
Exit code:
3221226540
Version:
7.02.0012
2108"C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.16258\Synapse Cracked.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.16258\Synapse Cracked.exe
WinRAR.exe
User:
admin
Company:
Java@Registred
Integrity Level:
HIGH
Description:
JavaUpadate.exe
Exit code:
0
Version:
7.02.0012
924"C:\Users\admin\AppData\Local\Temp\Lammer.exe" C:\Users\admin\AppData\Local\Temp\Lammer.exe
Synapse Cracked.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2132"C:\Users\admin\AppData\Local\Temp\Synapse X Remake Beta Release.exe" C:\Users\admin\AppData\Local\Temp\Synapse X Remake Beta Release.exe
Synapse Cracked.exe
User:
admin
Integrity Level:
HIGH
Description:
SynapseXRemakeBeta
Version:
1.0.0.0
3700"C:\Users\admin\AppData\Local\Temp\System.exe" C:\Users\admin\AppData\Local\Temp\System.exe
Lammer.exe
User:
admin
Integrity Level:
HIGH
824netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\System.exe" "System.exe" ENABLEC:\Windows\system32\netsh.exeSystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 298
Read events
1 187
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108Synapse Cracked.exeC:\Users\admin\AppData\Local\Temp\Synapse X Remake Beta Release.exeexecutable
MD5:549E7BC2E36A1909A8AE93B7F38258DF
SHA256:7EADD87BA4499E5E98E2EC7943BBCFEE82FECEA1AD7BC444CABBB14D7D788FEB
3700System.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25ebd109baaec904782c5682bf345888.exeexecutable
MD5:725C56D0472A61F5F97487CB4E14DD87
SHA256:942F83526B58772EF85CA35FC373B3B95AD388D1DA08AC37B10517C9F258BDBC
2192WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2192.16258\Synapse Cracked.exeexecutable
MD5:CFE38140D975F53F11FFA097725D2ED7
SHA256:CE769F177129C881EC8310B9ADB4807B636235C490F7CED17FD197711FD5DA58
924Lammer.exeC:\Users\admin\AppData\Local\Temp\System.exeexecutable
MD5:725C56D0472A61F5F97487CB4E14DD87
SHA256:942F83526B58772EF85CA35FC373B3B95AD388D1DA08AC37B10517C9F258BDBC
2108Synapse Cracked.exeC:\Users\admin\AppData\Local\Temp\Lammer.exeexecutable
MD5:725C56D0472A61F5F97487CB4E14DD87
SHA256:942F83526B58772EF85CA35FC373B3B95AD388D1DA08AC37B10517C9F258BDBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
173.225.115.192:1177
iguilhermetiquem.duckdns.org
Webair Internet Development Company Inc.
US
unknown
2132
Synapse X Remake Beta Release.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.23.99.190
  • 104.23.98.190
shared
iguilhermetiquem.duckdns.org
  • 173.225.115.192
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Archive-ff4f.zip