File name: | Temp.zip |
Full analysis: | https://app.any.run/tasks/17a21059-8e46-4aa0-86d8-0afda701d8c7 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | March 14, 2019, 17:02:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 61E111848067EAFF93EE8B12DFB1EA31 |
SHA1: | 16325DC3554439EA6CD01A501614383049C4CCC6 |
SHA256: | 2F716E23A93CA8ABA48D73ABDA3AA632FC033EBD413A1DEF33FD93DC546867B0 |
SSDEEP: | 393216:vF9b/b4sNmP0DqMRIrB8l8iOdX3s36LYQlRJejounjkX:vFZcsN2MqoIrSJOdns3Z0JejU |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ZMrdSP5Voz.exe |
---|---|
ZipUncompressedSize: | 96256 |
ZipCompressedSize: | 27714 |
ZipCRC: | 0xae15972e |
ZipModifyDate: | 2018:06:04 00:22:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2408 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Temp.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2544 | "C:\Users\admin\Desktop\server.exe" | C:\Users\admin\Desktop\server.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: ConsoleApplication1 Exit code: 0 Version: 1.0.0.0 | ||||
2504 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | server.exe | |
User: admin Integrity Level: MEDIUM Description: ConsoleApplication1 Version: 1.0.0.0 | ||||
4052 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE | C:\Windows\system32\netsh.exe | — | server.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2976 | "C:\Users\admin\Desktop\wOWyOVH.exe" | C:\Users\admin\Desktop\wOWyOVH.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: ConsoleApplication2 Exit code: 0 Version: 1.0.0.0 | ||||
3076 | "C:\Users\admin\AppData\Local\taskmgr.exe" | C:\Users\admin\AppData\Local\taskmgr.exe | — | wOWyOVH.exe |
User: admin Integrity Level: MEDIUM Description: ConsoleApplication2 Version: 1.0.0.0 |
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Temp.zip | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2408) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2544) server.exe | Key: | HKEY_CURRENT_USER |
Operation: | write | Name: | di |
Value: ! |
PID | Process | Filename | Type | |
---|---|---|---|---|
2408 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2408.49467\server.exe | — | |
MD5:— | SHA256:— | |||
2408 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2408.2375\wOWyOVH.exe | — | |
MD5:— | SHA256:— | |||
2544 | server.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:1C85680FD02EE9ACB26497894A8C77B0 | SHA256:83042AC8EF0A0F93D96A54E66493A3A6F7200C59255A786B676C4146E571BD7D | |||
2976 | wOWyOVH.exe | C:\Users\admin\AppData\Local\taskmgr.exe | executable | |
MD5:F5C6529AF64520DB5E3FE15FCA484766 | SHA256:6F9BB8F9B9A83907CE8DA6D8721C364BB0D07B1612E46ABFD95E411EB013F216 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2504 | server.exe | 187.58.111.235:1723 | kano.blackunix.com | TELEFÔNICA BRASIL S.A | BR | unknown |
Domain | IP | Reputation |
---|---|---|
kano.blackunix.com |
| malicious |