File name: | Temp.zip |
Full analysis: | https://app.any.run/tasks/1e144368-cf02-4243-9679-b0e13253c0ca |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | March 14, 2019, 11:57:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 61E111848067EAFF93EE8B12DFB1EA31 |
SHA1: | 16325DC3554439EA6CD01A501614383049C4CCC6 |
SHA256: | 2F716E23A93CA8ABA48D73ABDA3AA632FC033EBD413A1DEF33FD93DC546867B0 |
SSDEEP: | 393216:vF9b/b4sNmP0DqMRIrB8l8iOdX3s36LYQlRJejounjkX:vFZcsN2MqoIrSJOdns3Z0JejU |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ZMrdSP5Voz.exe |
---|---|
ZipUncompressedSize: | 96256 |
ZipCompressedSize: | 27714 |
ZipCRC: | 0xae15972e |
ZipModifyDate: | 2018:06:04 00:22:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3896 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Temp.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2180 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Temp.zip" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1076 | "C:\Users\admin\Desktop\7mOPbuMzTSc.exe" | C:\Users\admin\Desktop\7mOPbuMzTSc.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: WindowsApplication3 Exit code: 0 Version: 1.0.0.0 | ||||
2528 | "C:\Users\admin\Desktop\bj2xe.exe" | C:\Users\admin\Desktop\bj2xe.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
3124 | "C:\Users\admin\Desktop\DqlzFb.exe" | C:\Users\admin\Desktop\DqlzFb.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
3756 | "C:\Users\admin\Desktop\FyY8a7nx.exe" | C:\Users\admin\Desktop\FyY8a7nx.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: WindowsApplication3 Exit code: 0 Version: 1.0.0.0 | ||||
2764 | "C:\Users\admin\Desktop\Hy4VLR6pc6.exe" | C:\Users\admin\Desktop\Hy4VLR6pc6.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
3952 | "C:\Users\admin\Desktop\kzVcoO.exe" | C:\Users\admin\Desktop\kzVcoO.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
3504 | "C:\Users\admin\Desktop\pDnvnUwD.exe" | C:\Users\admin\Desktop\pDnvnUwD.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
3164 | "C:\Users\admin\Desktop\Rp6GWuUa8.exe" | C:\Users\admin\Desktop\Rp6GWuUa8.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2180 | WinRAR.exe | C:\Users\admin\Desktop\Zv1KAhkhYe.exe | executable | |
MD5:72038F4C898A634DB171445DA6890DD2 | SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\5IyOWck8jLG.exe | executable | |
MD5:20129C4E9A182103101702F1D7263C6C | SHA256:C3D6EE1D753BB728667FE7A65D147B14BCE98257149B5FBE3126A87F0F164DDF | |||
284 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:B2EBA313EE49931D0A677642F93C1030 | SHA256:1A9783771B27B5ABCDFCBA9EED5D4D8FE00E519226705DAD7ED9E1B8E6A1B217 | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\9NH0haRt7N.exe | executable | |
MD5:28669520BD2659E5A60551D7E751C8B7 | SHA256:F09DE84840B7AD523360E83C2E0ABE6EA4834FEC529EDF26D9A428C09D32A823 | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\2Iskr6xLiEu.exe | executable | |
MD5:72038F4C898A634DB171445DA6890DD2 | SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\1rtSP68NfVB.exe | executable | |
MD5:72038F4C898A634DB171445DA6890DD2 | SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\ZMrdSP5Voz.exe | executable | |
MD5:F5C6529AF64520DB5E3FE15FCA484766 | SHA256:6F9BB8F9B9A83907CE8DA6D8721C364BB0D07B1612E46ABFD95E411EB013F216 | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\7mOPbuMzTSc.exe | executable | |
MD5:2BC84BF158D7D5623B08F04FD9870E0C | SHA256:8992B5E2A0687D60EE567CBD40CB89ACBEF7480D6630204796ECF5572410CDE8 | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\0V8QRoTg.exe | executable | |
MD5:72038F4C898A634DB171445DA6890DD2 | SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D | |||
2180 | WinRAR.exe | C:\Users\admin\Desktop\3NoiA19Tg5I.exe | executable | |
MD5:72038F4C898A634DB171445DA6890DD2 | SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3856 | Taskmgr.exe | 187.58.111.235:1723 | kano.blackunix.com | TELEFÔNICA BRASIL S.A | BR | unknown |
2316 | taskmgr.exe | 187.58.111.235:1723 | kano.blackunix.com | TELEFÔNICA BRASIL S.A | BR | unknown |
284 | explorer.exe | 187.58.111.235:5549 | kano.blackunix.com | TELEFÔNICA BRASIL S.A | BR | unknown |
Domain | IP | Reputation |
---|---|---|
dl.n1ckna.me |
| unknown |
kano.blackunix.com |
| malicious |
irc2.blackunix.com |
| unknown |
nodio.ddns.net |
| unknown |
shell.blackunix.com |
| malicious |
nodiosena.ddns.net |
| malicious |