File name:

24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N

Full analysis: https://app.any.run/tasks/a128c3d2-602d-4238-9817-ae7b2a9db9c2
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: September 18, 2024, 07:45:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
njrat
bladabindi
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

E9A9D4747D4450FC0D3647AE1B38D6D0

SHA1:

E76E44A32902A088831593235449298B219E8567

SHA256:

24DE28A2D4C0BE7A1605C5C0543F698E08F8529566EBEFB44086F5AC8CB9F1F1

SSDEEP:

1536:L8/258JnN8JZ0GCI8dg5o3O5MdHgQr9pF:L8dJnNuu3HgQrfF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • NJRAT has been detected (YARA)

      • 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe (PID: 5760)
    • NJRAT has been detected (SURICATA)

      • 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe (PID: 5760)
    • Connects to the CnC server

      • 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe (PID: 5760)
  • SUSPICIOUS

    • Connects to unusual port

      • 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe (PID: 5760)
    • Contacting a server suspected of hosting an CnC

      • 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe (PID: 5760)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(5760) 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe
C2peter-introduces.gl.at.ply.gg
Ports20394
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\42413bdc98533338ff4c6d1ee0c4b956
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (81)
.dll | Win32 Dynamic Link Library (generic) (7.2)
.exe | Win32 Executable (generic) (4.9)
.exe | Win16/32 Executable Delphi generic (2.2)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

AssemblyVersion: 0.0.0.0
ProductVersion: 0.0.0.0
OriginalFileName: ps4zecn0.exe
LegalCopyright:
InternalName: ps4zecn0.exe
FileVersion: 0.0.0.0
FileDescription:
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1010e
UninitializedDataSize: -
InitializedDataSize: 12288
CodeSize: 61440
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:09:13 20:01:13+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1n.exe netsh.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
5760"C:\Users\admin\Desktop\24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe" C:\Users\admin\Desktop\24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(5760) 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe
C2peter-introduces.gl.at.ply.gg
Ports20394
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\42413bdc98533338ff4c6d1ee0c4b956
Splitter|'|'|
Version0.7d
2768netsh firewall add allowedprogram "C:\Users\admin\Desktop\24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe" "24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe" ENABLEC:\Windows\SysWOW64\netsh.exe24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
1 085
Read events
1 075
Write events
10
Delete events
0

Modification events

(PID) Process:(5760) 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(5760) 24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exeKey:HKEY_CURRENT_USER\SOFTWARE\42413bdc98533338ff4c6d1ee0c4b956
Operation:writeName:[kl]
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
5
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5212
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5212
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5212
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5760
24de28a2d4c0be7a1605c5c0543f698e08f8529566ebefb44086f5ac8cb9f1f1N.exe
147.185.221.20:20394
peter-introduces.gl.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
peter-introduces.gl.at.ply.gg
  • 147.185.221.20
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
2 ETPRO signatures available at the full report
No debug info