analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Temp.zip

Full analysis: https://app.any.run/tasks/1e144368-cf02-4243-9679-b0e13253c0ca
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: March 14, 2019, 11:57:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
orcus
njrat
bladabindi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

61E111848067EAFF93EE8B12DFB1EA31

SHA1:

16325DC3554439EA6CD01A501614383049C4CCC6

SHA256:

2F716E23A93CA8ABA48D73ABDA3AA632FC033EBD413A1DEF33FD93DC546867B0

SSDEEP:

393216:vF9b/b4sNmP0DqMRIrB8l8iOdX3s36LYQlRJejounjkX:vFZcsN2MqoIrSJOdns3Z0JejU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bj2xe.exe (PID: 2528)
      • 7mOPbuMzTSc.exe (PID: 1076)
      • FyY8a7nx.exe (PID: 3756)
      • DqlzFb.exe (PID: 3124)
      • pDnvnUwD.exe (PID: 3504)
      • Rp6GWuUa8.exe (PID: 3164)
      • kzVcoO.exe (PID: 3952)
      • Hy4VLR6pc6.exe (PID: 2764)
      • tmp6B1F.tmp.exe (PID: 1912)
      • Z2Uc71v4VY.exe (PID: 2592)
      • wOWyOVH.exe (PID: 2800)
      • Tr4OcLjBE0.exe (PID: 3488)
      • T83J5Q.exe (PID: 2900)
      • y7ibCO3.exe (PID: 2976)
      • wadJ9eBX9.exe (PID: 1868)
      • tmpDC57.tmp.exe (PID: 2856)
      • Taskmgr.exe (PID: 3856)
      • svchost.exe (PID: 2320)
      • tmp5DC8.tmp.exe (PID: 2676)
      • taskmgr.exe (PID: 2316)
      • t9vdEVZ.exe (PID: 2980)
      • AppLaunch.exe (PID: 3396)
      • p4UgrzRN4.exe (PID: 3912)
      • rNcgLd.exe (PID: 2576)
      • kvCC3R.exe (PID: 4084)
      • AppLaunch.exe (PID: 2716)
      • fTDgK.exe (PID: 3656)
      • kvCC3R.exe (PID: 3412)
      • CCafR7.exe (PID: 3276)
      • xrQiJLkxvt.exe (PID: 3784)
      • svchost.exe (PID: 3460)
      • BingSvc.exe (PID: 4080)
      • Waakf.exe (PID: 3772)
      • X64dPwKEC4.exe (PID: 3288)
      • WWbekitA3R.exe (PID: 3996)
      • Zv1KAhkhYe.exe (PID: 4004)
      • ZMrdSP5Voz.exe (PID: 3332)
      • zjRnXLN.exe (PID: 3212)
      • zjRnXLN.exe (PID: 2784)
      • wrhLEH1.exe (PID: 2484)
      • WindowsInput.exe (PID: 3956)
      • UUUaTq.exe (PID: 3760)
      • WindowsInput.exe (PID: 3088)
      • Wtcrh0V9rG.exe (PID: 3636)
      • vXd4r5Bm3g.exe (PID: 2340)
      • tmpA98.tmp.exe (PID: 3592)
      • tmp5D0A.tmp.exe (PID: 3492)
      • AppLaunch.exe (PID: 3400)
      • svchost.exe (PID: 2224)
      • tmp5BF4.tmp.exe (PID: 3840)
      • tmp5BF4.tmp.exe (PID: 2836)
      • tmp2D73.tmp.exe (PID: 2968)
      • svchost.exe (PID: 2956)
    • Runs app for hidden code execution

      • y7ibCO3.exe (PID: 2976)
      • p4UgrzRN4.exe (PID: 3912)
      • vXd4r5Bm3g.exe (PID: 2340)
    • Changes the autorun value in the registry

      • AppLaunch.exe (PID: 3396)
      • Taskmgr.exe (PID: 3856)
      • taskmgr.exe (PID: 2316)
      • svchost.exe (PID: 2956)
    • Runs injected code in another process

      • AppLaunch.exe (PID: 3396)
    • Application was injected by another process

      • explorer.exe (PID: 284)
    • Known privilege escalation attack

      • kvCC3R.exe (PID: 4084)
    • Orcus was detected

      • kvCC3R.exe (PID: 4084)
      • kvCC3R.exe (PID: 3412)
      • tmp5D0A.tmp.exe (PID: 3492)
    • Writes to a start menu file

      • Taskmgr.exe (PID: 3856)
      • taskmgr.exe (PID: 2316)
      • svchost.exe (PID: 2956)
    • NJRAT was detected

      • Taskmgr.exe (PID: 3856)
      • taskmgr.exe (PID: 2316)
      • svchost.exe (PID: 2956)
    • Uses Task Scheduler to run other applications

      • Taskmgr.exe (PID: 3856)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2976)
  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 284)
      • FyY8a7nx.exe (PID: 3756)
      • AppLaunch.exe (PID: 3396)
      • Taskmgr.exe (PID: 3856)
      • taskmgr.exe (PID: 2316)
      • kvCC3R.exe (PID: 3412)
      • svchost.exe (PID: 2956)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2180)
      • DqlzFb.exe (PID: 3124)
      • FyY8a7nx.exe (PID: 3756)
      • AppLaunch.exe (PID: 3396)
      • wOWyOVH.exe (PID: 2800)
      • wadJ9eBX9.exe (PID: 1868)
      • Taskmgr.exe (PID: 3856)
      • taskmgr.exe (PID: 2316)
      • kvCC3R.exe (PID: 3412)
      • xrQiJLkxvt.exe (PID: 3784)
      • tmp5BF4.tmp.exe (PID: 3840)
      • svchost.exe (PID: 2956)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 284)
    • Creates executable files which already exist in Windows

      • DqlzFb.exe (PID: 3124)
      • wadJ9eBX9.exe (PID: 1868)
      • xrQiJLkxvt.exe (PID: 3784)
      • tmp5BF4.tmp.exe (PID: 3840)
    • Starts CMD.EXE for commands execution

      • y7ibCO3.exe (PID: 2976)
      • p4UgrzRN4.exe (PID: 3912)
      • vXd4r5Bm3g.exe (PID: 2340)
    • Starts itself from another location

      • DqlzFb.exe (PID: 3124)
      • FyY8a7nx.exe (PID: 3756)
      • wOWyOVH.exe (PID: 2800)
      • wadJ9eBX9.exe (PID: 1868)
      • xrQiJLkxvt.exe (PID: 3784)
      • tmp5BF4.tmp.exe (PID: 3840)
    • Creates files in the program directory

      • AppLaunch.exe (PID: 3396)
    • Executes application which crashes

      • explorer.exe (PID: 284)
    • Modifies the open verb of a shell class

      • kvCC3R.exe (PID: 4084)
    • Creates files in the Windows directory

      • kvCC3R.exe (PID: 3412)
      • WindowsInput.exe (PID: 3956)
    • Connects to unusual port

      • Taskmgr.exe (PID: 3856)
      • taskmgr.exe (PID: 2316)
      • explorer.exe (PID: 284)
  • INFO

    • Application was crashed

      • tmp6B1F.tmp.exe (PID: 1912)
      • ntvdm.exe (PID: 3520)
      • ntvdm.exe (PID: 3716)
      • tmpA98.tmp.exe (PID: 3592)
      • tmp2D73.tmp.exe (PID: 2968)
    • Reads settings of System Certificates

      • kvCC3R.exe (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ZMrdSP5Voz.exe
ZipUncompressedSize: 96256
ZipCompressedSize: 27714
ZipCRC: 0xae15972e
ZipModifyDate: 2018:06:04 00:22:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
70
Malicious processes
25
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start inject drop and start drop and start drop and start drop and start winrar.exe no specs winrar.exe 7mopbumztsc.exe no specs bj2xe.exe no specs dqlzfb.exe fyy8a7nx.exe hy4vlr6pc6.exe no specs kzvcoo.exe no specs pdnvnuwd.exe no specs rp6gwuua8.exe no specs t83j5q.exe no specs tmp6b1f.tmp.exe tr4ocljbe0.exe no specs wowyovh.exe z2uc71v4vy.exe no specs y7ibco3.exe no specs cmd.exe no specs applaunch.exe wadj9ebx9.exe tmpdc57.tmp.exe no specs #NJRAT taskmgr.exe svchost.exe no specs explorer.exe tmp5dc8.tmp.exe no specs #NJRAT taskmgr.exe t9vdevz.exe no specs rncgld.exe no specs p4ugrzrn4.exe no specs cmd.exe no specs applaunch.exe no specs #ORCUS kvcc3r.exe no specs csc.exe no specs ntvdm.exe cvtres.exe no specs ftdgk.exe no specs eventvwr.exe no specs ccafr7.exe no specs eventvwr.exe ntvdm.exe #ORCUS kvcc3r.exe csc.exe no specs bingsvc.exe no specs cvtres.exe no specs xrqijlkxvt.exe svchost.exe no specs schtasks.exe no specs waakf.exe no specs x64dpwkec4.exe no specs wwbekita3r.exe no specs zv1kahkhye.exe no specs zmrdsp5voz.exe no specs zjrnxln.exe no specs zjrnxln.exe no specs windowsinput.exe no specs wrhleh1.exe no specs wtcrh0v9rg.exe no specs uuuatq.exe no specs windowsinput.exe no specs vxd4r5bm3g.exe no specs cmd.exe no specs tmpa98.tmp.exe applaunch.exe no specs #ORCUS tmp5d0a.tmp.exe no specs tmp5bf4.tmp.exe svchost.exe no specs tmp5bf4.tmp.exe no specs csc.exe no specs tmp2d73.tmp.exe cvtres.exe no specs #NJRAT svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
3896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Temp.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2180"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Temp.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1076"C:\Users\admin\Desktop\7mOPbuMzTSc.exe" C:\Users\admin\Desktop\7mOPbuMzTSc.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WindowsApplication3
Exit code:
0
Version:
1.0.0.0
2528"C:\Users\admin\Desktop\bj2xe.exe" C:\Users\admin\Desktop\bj2xe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3124"C:\Users\admin\Desktop\DqlzFb.exe" C:\Users\admin\Desktop\DqlzFb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3756"C:\Users\admin\Desktop\FyY8a7nx.exe" C:\Users\admin\Desktop\FyY8a7nx.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WindowsApplication3
Exit code:
0
Version:
1.0.0.0
2764"C:\Users\admin\Desktop\Hy4VLR6pc6.exe" C:\Users\admin\Desktop\Hy4VLR6pc6.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3952"C:\Users\admin\Desktop\kzVcoO.exe" C:\Users\admin\Desktop\kzVcoO.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3504"C:\Users\admin\Desktop\pDnvnUwD.exe" C:\Users\admin\Desktop\pDnvnUwD.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3164"C:\Users\admin\Desktop\Rp6GWuUa8.exe" C:\Users\admin\Desktop\Rp6GWuUa8.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Total events
7 933
Read events
7 571
Write events
0
Delete events
0

Modification events

No data
Executable files
103
Suspicious files
0
Text files
649
Unknown types
7

Dropped files

PID
Process
Filename
Type
2180WinRAR.exeC:\Users\admin\Desktop\Zv1KAhkhYe.exeexecutable
MD5:72038F4C898A634DB171445DA6890DD2
SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D
2180WinRAR.exeC:\Users\admin\Desktop\5IyOWck8jLG.exeexecutable
MD5:20129C4E9A182103101702F1D7263C6C
SHA256:C3D6EE1D753BB728667FE7A65D147B14BCE98257149B5FBE3126A87F0F164DDF
284explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:B2EBA313EE49931D0A677642F93C1030
SHA256:1A9783771B27B5ABCDFCBA9EED5D4D8FE00E519226705DAD7ED9E1B8E6A1B217
2180WinRAR.exeC:\Users\admin\Desktop\9NH0haRt7N.exeexecutable
MD5:28669520BD2659E5A60551D7E751C8B7
SHA256:F09DE84840B7AD523360E83C2E0ABE6EA4834FEC529EDF26D9A428C09D32A823
2180WinRAR.exeC:\Users\admin\Desktop\2Iskr6xLiEu.exeexecutable
MD5:72038F4C898A634DB171445DA6890DD2
SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D
2180WinRAR.exeC:\Users\admin\Desktop\1rtSP68NfVB.exeexecutable
MD5:72038F4C898A634DB171445DA6890DD2
SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D
2180WinRAR.exeC:\Users\admin\Desktop\ZMrdSP5Voz.exeexecutable
MD5:F5C6529AF64520DB5E3FE15FCA484766
SHA256:6F9BB8F9B9A83907CE8DA6D8721C364BB0D07B1612E46ABFD95E411EB013F216
2180WinRAR.exeC:\Users\admin\Desktop\7mOPbuMzTSc.exeexecutable
MD5:2BC84BF158D7D5623B08F04FD9870E0C
SHA256:8992B5E2A0687D60EE567CBD40CB89ACBEF7480D6630204796ECF5572410CDE8
2180WinRAR.exeC:\Users\admin\Desktop\0V8QRoTg.exeexecutable
MD5:72038F4C898A634DB171445DA6890DD2
SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D
2180WinRAR.exeC:\Users\admin\Desktop\3NoiA19Tg5I.exeexecutable
MD5:72038F4C898A634DB171445DA6890DD2
SHA256:84A5860C47A3EF1B85F1C808A61CD642EAC42F0EFAABC6E3B359FB8F8D1F146D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3856
Taskmgr.exe
187.58.111.235:1723
kano.blackunix.com
TELEFÔNICA BRASIL S.A
BR
unknown
2316
taskmgr.exe
187.58.111.235:1723
kano.blackunix.com
TELEFÔNICA BRASIL S.A
BR
unknown
284
explorer.exe
187.58.111.235:5549
kano.blackunix.com
TELEFÔNICA BRASIL S.A
BR
unknown

DNS requests

Domain
IP
Reputation
dl.n1ckna.me
unknown
kano.blackunix.com
  • 187.58.111.235
malicious
irc2.blackunix.com
  • 187.58.111.235
unknown
nodio.ddns.net
unknown
shell.blackunix.com
  • 187.58.111.235
malicious
nodiosena.ddns.net
  • 0.0.0.0
malicious

Threats

No threats detected
No debug info