analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

СХЕМКИ.exe

Full analysis: https://app.any.run/tasks/671f52e9-b7c3-4ae2-89c7-2cf72d070981
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 15:19:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6F2AC43A6772E12E8A92D85C5C1E99C3

SHA1:

D641F3826980FA4ADD8348C7DDAAB21A9F4EA4B8

SHA256:

24969D00E554108488875E85DBEDAB10BC3CF75A90EA7369607EC46ECC208F71

SSDEEP:

24576:UkHEzUJthaXAd7n6JPXenFgFeK4M+poUvitv7BbPVL26GI7+OftF0WieBueai0RF:UkkzUJzjIPXwjVLouqTcu+Oxiqlaw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Client.exe (PID: 1012)

    • Create files in the Startup directory

      • Client.exe (PID: 1012)

    • NJRAT was detected

      • Client.exe (PID: 1012)

    • Connects to the CnC server

      • Client.exe (PID: 1012)

    • NjRAT is detected

      • Client.exe (PID: 1012)

    • Changes the autorun value in the registry

      • Client.exe (PID: 1012)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • СХЕМКИ.exe (PID: 2672)
      • Client.exe (PID: 1012)

    • Reads the Internet Settings

      • СХЕМКИ.exe (PID: 2672)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Client.exe (PID: 1012)

    • Connects to unusual port

      • Client.exe (PID: 1012)

  • INFO

    • Reads the computer name

      • СХЕМКИ.exe (PID: 2672)
      • Client.exe (PID: 1012)
      • wmpnscfg.exe (PID: 948)

    • Checks supported languages

      • СХЕМКИ.exe (PID: 2672)
      • Client.exe (PID: 1012)
      • wmpnscfg.exe (PID: 948)

    • The process checks LSA protection

      • СХЕМКИ.exe (PID: 2672)
      • Client.exe (PID: 1012)
      • netsh.exe (PID: 3528)
      • wmpnscfg.exe (PID: 948)

    • Create files in a temporary directory

      • СХЕМКИ.exe (PID: 2672)

    • Reads the machine GUID from the registry

      • СХЕМКИ.exe (PID: 2672)
      • Client.exe (PID: 1012)
      • wmpnscfg.exe (PID: 948)

    • Creates files or folders in the user directory

      • Client.exe (PID: 1012)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 948)

    • Reads Environment values

      • Client.exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.3)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:04:01 11:01:50+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 1.73
CodeSize: 2081280
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Apr-2023 11:01:50

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0080
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0010
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x0140
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 01-Apr-2023 11:01:50
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x001FC0B7
0x001FC200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.23288
.idata
0x001FE000
0x000001FC
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.15362
.rsrc
0x001FF000
0x00003EF0
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.72851

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.17103
701
UNKNOWN
UNKNOWN
RT_MANIFEST
2
5.86108
4264
UNKNOWN
UNKNOWN
RT_ICON
3
5.37027
9640
UNKNOWN
UNKNOWN
RT_ICON

Imports

Shlwapi.dll
kernel32.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start схемки.exe #NJRAT client.exe netsh.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2672"C:\Users\admin\AppData\Local\Temp\СХЕМКИ.exe" C:\Users\admin\AppData\Local\Temp\СХЕМКИ.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\схемки.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1012"C:\Users\admin\AppData\Local\Temp\Client.exe" C:\Users\admin\AppData\Local\Temp\Client.exe
СХЕМКИ.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3528netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLEC:\Windows\System32\netsh.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
948"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\gdi32.dll
Total events
5 468
Read events
5 002
Write events
460
Delete events
6

Modification events

(PID) Process:(2672) СХЕМКИ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2672) СХЕМКИ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2672) СХЕМКИ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2672) СХЕМКИ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2672) СХЕМКИ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3528) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1012) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:961985a243f49b28e3e94621efec76de
Value:
"C:\Users\admin\AppData\Local\Temp\Client.exe" ..
(PID) Process:(948) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{0AB7F19F-FCA8-48EA-B610-ECE04615B8F3}\{8BA1090E-6C8A-4274-82C6-5B094BE023CA}
Operation:delete keyName:(default)
Value:
(PID) Process:(948) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{0AB7F19F-FCA8-48EA-B610-ECE04615B8F3}
Operation:delete keyName:(default)
Value:
(PID) Process:(948) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{F88C296D-9CC8-49C1-A0D4-21962DB56E49}
Operation:delete keyName:(default)
Value:
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1012Client.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\961985a243f49b28e3e94621efec76de.exeexecutable
MD5:60A91596912E820EAB873EB8248B9750
SHA256:312DCE9DA5C7F27D924184C06F25E8BE7367DB4DC2E65CAA0B0B222DDE029A2D
2672СХЕМКИ.exeC:\Users\admin\AppData\Local\Temp\Client.exeexecutable
MD5:60A91596912E820EAB873EB8248B9750
SHA256:312DCE9DA5C7F27D924184C06F25E8BE7367DB4DC2E65CAA0B0B222DDE029A2D
2672СХЕМКИ.exeC:\Users\admin\AppData\Local\Temp\Схемы.exeexecutable
MD5:1715E1049A76C327548501764F0C2095
SHA256:BCF55A428B88CA56D9D81BF22A2DF823ADD58E1E4E16F0FB8879360F1308B453
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1012
Client.exe
3.127.138.57:14308
2.tcp.eu.ngrok.io
AMAZON-02
DE
malicious
3.127.138.57:14308
2.tcp.eu.ngrok.io
AMAZON-02
DE
malicious

DNS requests

Domain
IP
Reputation
2.tcp.eu.ngrok.io
  • 3.127.138.57
malicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
1012
Client.exe
Unknown Classtype
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
11 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
СХЕМКИ.exe