analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

njRAT-v0.8d-main.zip

Full analysis: https://app.any.run/tasks/f8961287-9624-4745-922b-52a1395cd77c
Verdict: Malicious activity
Analysis date: January 25, 2022, 01:54:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

F24F04C85A6284CECDAFF4C06150DCB2

SHA1:

3C44F5A5F3AC36D5596B493568A8A7B178D373B3

SHA256:

2A3B7EC401837252DDCBA8253D7E4A4027061B53C0DC7ABD972CC5BACAF98438

SSDEEP:

49152:JLEb2G7hYKfxG7GByoflLEb2G7hYKfx86pChJh4Q:LG73fxbdnG73fxJ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 4080)
    • Application was dropped or rewritten from another process

      • njRAT v0.8d.exe (PID: 3640)
  • SUSPICIOUS

    • Reads the computer name

      • njRAT v0.8d.exe (PID: 3640)
      • WinRAR.exe (PID: 3148)
    • Checks supported languages

      • WinRAR.exe (PID: 3148)
      • njRAT v0.8d.exe (PID: 3640)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3148)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3148)
    • Reads Environment values

      • njRAT v0.8d.exe (PID: 3640)
  • INFO

    • Manual execution by user

      • njRAT v0.8d.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:11:13 22:44:08
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: njRAT-v0.8d-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs njrat v0.8d.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\njRAT-v0.8d-main.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
4080"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3640"C:\Users\admin\Desktop\njRAT-v0.8d-main\njRAT v0.8d.exe" C:\Users\admin\Desktop\njRAT-v0.8d-main\njRAT v0.8d.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Total events
2 056
Read events
2 045
Write events
11
Delete events
0

Modification events

(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3148) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\njRAT-v0.8d-main.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
10
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Plugin\PEPSI-CH.dllexecutable
MD5:1CB8FA647355805F2AE6A7E6BB71B138
SHA256:89A1BBE42CDE01DDFE531D69DD6EA6575296096010400CB63CBF4999ECA52E52
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Plugin\pw.dllexecutable
MD5:DB87DAF76C15F3808CEC149F639AA64F
SHA256:A3E4BEE1B6944AA9266BD58DE3F534A4C1896DF621881A5252A0D355A6E67C70
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Stub.exeexecutable
MD5:9AC810F92B1ED48EA03396D74425BC2E
SHA256:296DE887D687F4C1146C57E9157C343F9F8DDCCFC79F8F5033F0A57D443E0AD7
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\GeoIP.manifestprg
MD5:D6A5BA3494C5CFA8ADAABA2D5F138610
SHA256:5FA0FD7178A5883A5A9C66DE58F01BCD66FB156A515E21E7CAE1E00EC4226360
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Plugin\PEPSI-F.dllexecutable
MD5:51C2EE936DED2E55F8BCC8CBA6E3B330
SHA256:F132324ACF09C0562A1CAD1288BFB4021BD991659126D21ECB9499938BF6ACB3
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Plugin\PEPSI-C.dllexecutable
MD5:0A1CA904B3D688C01F4E5FAAE811922B
SHA256:B02C56D29447690CDAFD8F2F6877D526D1F6EFCAAE74017719C460D9B3EE38B8
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Plugin\PEPSI-S.dllexecutable
MD5:70AC2237257012E013331E749D42A70B
SHA256:E728AFC5D081EAABE3297D0DDD8387D0DF0BBED0F73EE3B04C4588CB89EFEA51
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Stub.manifestprg
MD5:D6A5BA3494C5CFA8ADAABA2D5F138610
SHA256:5FA0FD7178A5883A5A9C66DE58F01BCD66FB156A515E21E7CAE1E00EC4226360
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\WinMM.Net.dllexecutable
MD5:D4B80052C7B4093E10CE1F40CE74F707
SHA256:59E2AC1B79840274BDFCEF412A10058654E42F4285D732D1487E65E60FFBFB46
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.34335\njRAT-v0.8d-main\Mono.Cecil.dllexecutable
MD5:851EC9D84343FBD089520D420348A902
SHA256:CDADC26C09F869E21053EE1A0ACF3B2D11DF8EDD599FE9C377BD4D3CE1C9CDA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info