File name: | 1.zip |
Full analysis: | https://app.any.run/tasks/2467d394-e3f2-47f1-8283-ea98c021332a |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | April 25, 2019, 15:15:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | EE51045D031E03AAD7A55C53DFFEBA67 |
SHA1: | 8AB210EBC4AABEAF02C96927B3F14215FB063ADB |
SHA256: | 3AFC85DAC0234D96B8684C5664EC8764105DBEFAD3D3673A53CC321D0D10CBE8 |
SSDEEP: | 24576:OxS7tkc+m8VFP1WsugI/GI7AlNETnxmWYOesnBc8mmYSSkS2WcO:OSkmsNtCOI7aETnxXNTi9Si |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:25 15:55:19 |
ZipCRC: | 0x12f77af8 |
ZipCompressedSize: | 19760 |
ZipUncompressedSize: | 50688 |
ZipFileName: | [CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest/AgileDotNet.VMRuntime.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2560 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1832 | "C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" | C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4048 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | Malwarebytes by FuseFire.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
352 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | Malwarebytes by FuseFire.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2056 | "C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" | C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH | ||||
2140 | "C:\Users\admin\AppData\Local\Temp\Malwarebytes by FuseFire.exe" | C:\Users\admin\AppData\Local\Temp\Malwarebytes by FuseFire.exe | Malwarebytes by FuseFire.exe | |
User: admin Integrity Level: HIGH Description: Malwarebytes by FuseFire Exit code: 3762504530 Version: 1.0.0.0 | ||||
2832 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Malwarebytes by FuseFire.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2652 | netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE | C:\Windows\system32\netsh.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2208 | C:\Windows\system32\WerFault.exe -u -p 2140 -s 720 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4068 | netsh firewall delete allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\system32\netsh.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\AgileDotNet.VMRuntime.dll | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Colorful.Console.dll | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Hits\Business.txt | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Hits\Business_RAW.txt | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Keys.txt | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Proxies.txt | — | |
MD5:— | SHA256:— | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2560.32312\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\RestSharp.dll | — | |
MD5:— | SHA256:— | |||
2208 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\Malwarebytes by FuseFire.exe.2140.dmp | — | |
MD5:— | SHA256:— | |||
2056 | Malwarebytes by FuseFire.exe | C:\Users\admin\Application Frame Host\Update Application.vbs | text | |
MD5:4FDDC3783D6C229784A8C36B9EDF001F | SHA256:C7137024C89C61061862DD0FC4DF7F8894DF991013F2E5EAE393AF9C5563355C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2832 | RegAsm.exe | 172.111.154.46:5557 | ninja5557.ddns.net | AltusHost B.V. | GB | malicious |
Domain | IP | Reputation |
---|---|---|
ninja5557.ddns.net |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2832 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |
2832 | RegAsm.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Desktop) |
2832 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Bladabindi/njRAT CnC Command (ll) |