analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.zip

Full analysis: https://app.any.run/tasks/2467d394-e3f2-47f1-8283-ea98c021332a
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: April 25, 2019, 15:15:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EE51045D031E03AAD7A55C53DFFEBA67

SHA1:

8AB210EBC4AABEAF02C96927B3F14215FB063ADB

SHA256:

3AFC85DAC0234D96B8684C5664EC8764105DBEFAD3D3673A53CC321D0D10CBE8

SSDEEP:

24576:OxS7tkc+m8VFP1WsugI/GI7AlNETnxmWYOesnBc8mmYSSkS2WcO:OSkmsNtCOI7aETnxXNTi9Si

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Malwarebytes by FuseFire.exe (PID: 2140)
      • Malwarebytes by FuseFire.exe (PID: 2056)
      • Malwarebytes by FuseFire.exe (PID: 1832)
    • Known privilege escalation attack

      • Malwarebytes by FuseFire.exe (PID: 1832)
    • Loads dropped or rewritten executable

      • Malwarebytes by FuseFire.exe (PID: 2140)
      • WerFault.exe (PID: 2208)
    • Writes to a start menu file

      • Malwarebytes by FuseFire.exe (PID: 2056)
    • Connects to CnC server

      • RegAsm.exe (PID: 2832)
    • NJRAT was detected

      • RegAsm.exe (PID: 2832)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Malwarebytes by FuseFire.exe (PID: 2056)
      • Malwarebytes by FuseFire.exe (PID: 2140)
    • Modifies the open verb of a shell class

      • Malwarebytes by FuseFire.exe (PID: 1832)
    • Creates files in the user directory

      • Malwarebytes by FuseFire.exe (PID: 2056)
    • Creates files in the program directory

      • WerFault.exe (PID: 2208)
    • Uses NETSH.EXE for network configuration

      • RegAsm.exe (PID: 2832)
    • Starts CMD.EXE for commands execution

      • RegAsm.exe (PID: 2832)
  • INFO

    • Application was crashed

      • Malwarebytes by FuseFire.exe (PID: 2140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:25 15:55:19
ZipCRC: 0x12f77af8
ZipCompressedSize: 19760
ZipUncompressedSize: 50688
ZipFileName: [CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest/AgileDotNet.VMRuntime.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
12
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs malwarebytes by fusefire.exe no specs eventvwr.exe no specs eventvwr.exe malwarebytes by fusefire.exe malwarebytes by fusefire.exe #NJRAT regasm.exe netsh.exe no specs werfault.exe no specs netsh.exe no specs cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2560"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1832"C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4048"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exeMalwarebytes by FuseFire.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
352"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
Malwarebytes by FuseFire.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2056"C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe
eventvwr.exe
User:
admin
Integrity Level:
HIGH
2140"C:\Users\admin\AppData\Local\Temp\Malwarebytes by FuseFire.exe" C:\Users\admin\AppData\Local\Temp\Malwarebytes by FuseFire.exe
Malwarebytes by FuseFire.exe
User:
admin
Integrity Level:
HIGH
Description:
Malwarebytes by FuseFire
Exit code:
3762504530
Version:
1.0.0.0
2832"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Malwarebytes by FuseFire.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
2652netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLEC:\Windows\system32\netsh.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2208C:\Windows\system32\WerFault.exe -u -p 2140 -s 720C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4068netsh firewall delete allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\system32\netsh.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 099
Read events
964
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\AgileDotNet.VMRuntime.dll
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Colorful.Console.dll
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Hits\Business.txt
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Hits\Business_RAW.txt
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Keys.txt
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Proxies.txt
MD5:
SHA256:
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\RestSharp.dll
MD5:
SHA256:
2208WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Malwarebytes by FuseFire.exe.2140.dmp
MD5:
SHA256:
2056Malwarebytes by FuseFire.exeC:\Users\admin\Application Frame Host\Update Application.vbstext
MD5:4FDDC3783D6C229784A8C36B9EDF001F
SHA256:C7137024C89C61061862DD0FC4DF7F8894DF991013F2E5EAE393AF9C5563355C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2832
RegAsm.exe
172.111.154.46:5557
ninja5557.ddns.net
AltusHost B.V.
GB
malicious

DNS requests

Domain
IP
Reputation
ninja5557.ddns.net
  • 172.111.154.46
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2832
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT.Gen RAT outbound connection
2832
RegAsm.exe
A Network Trojan was detected
ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Desktop)
2832
RegAsm.exe
A Network Trojan was detected
ET TROJAN Bladabindi/njRAT CnC Command (ll)
3 ETPRO signatures available at the full report
No debug info