analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.zip

Full analysis: https://app.any.run/tasks/6fa19801-ff41-40a6-bf75-3c21622fcf0d
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: April 25, 2019, 15:28:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EE51045D031E03AAD7A55C53DFFEBA67

SHA1:

8AB210EBC4AABEAF02C96927B3F14215FB063ADB

SHA256:

3AFC85DAC0234D96B8684C5664EC8764105DBEFAD3D3673A53CC321D0D10CBE8

SSDEEP:

24576:OxS7tkc+m8VFP1WsugI/GI7AlNETnxmWYOesnBc8mmYSSkS2WcO:OSkmsNtCOI7aETnxXNTi9Si

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Malwarebytes by FuseFire.exe (PID: 3148)
      • WerFault.exe (PID: 3088)
      • WerFault.exe (PID: 2068)
      • Malwarebytes by FuseFire.exe (PID: 2432)
    • Application was dropped or rewritten from another process

      • Malwarebytes by FuseFire.exe (PID: 3148)
      • Malwarebytes by FuseFire.exe (PID: 2464)
      • Malwarebytes by FuseFire.exe (PID: 2344)
      • Malwarebytes by FuseFire.exe (PID: 1892)
      • Malwarebytes by FuseFire.exe (PID: 3240)
      • Malwarebytes by FuseFire.exe (PID: 2432)
    • Known privilege escalation attack

      • Malwarebytes by FuseFire.exe (PID: 2464)
      • Malwarebytes by FuseFire.exe (PID: 2344)
    • Writes to a start menu file

      • Malwarebytes by FuseFire.exe (PID: 3240)
      • Malwarebytes by FuseFire.exe (PID: 1892)
    • NJRAT was detected

      • RegAsm.exe (PID: 3484)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Malwarebytes by FuseFire.exe (PID: 3240)
      • Malwarebytes by FuseFire.exe (PID: 3148)
      • Malwarebytes by FuseFire.exe (PID: 1892)
      • Malwarebytes by FuseFire.exe (PID: 2432)
    • Modifies the open verb of a shell class

      • Malwarebytes by FuseFire.exe (PID: 2464)
      • Malwarebytes by FuseFire.exe (PID: 2344)
    • Creates files in the user directory

      • Malwarebytes by FuseFire.exe (PID: 3240)
    • Creates files in the program directory

      • WerFault.exe (PID: 3088)
      • WerFault.exe (PID: 2068)
    • Uses NETSH.EXE for network configuration

      • RegAsm.exe (PID: 3484)
  • INFO

    • Application was crashed

      • Malwarebytes by FuseFire.exe (PID: 3148)
      • Malwarebytes by FuseFire.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:25 15:55:19
ZipCRC: 0x12f77af8
ZipCompressedSize: 19760
ZipUncompressedSize: 50688
ZipFileName: [CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest/AgileDotNet.VMRuntime.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
16
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs malwarebytes by fusefire.exe no specs eventvwr.exe no specs eventvwr.exe malwarebytes by fusefire.exe malwarebytes by fusefire.exe #NJRAT regasm.exe netsh.exe no specs werfault.exe no specs malwarebytes by fusefire.exe no specs eventvwr.exe no specs eventvwr.exe malwarebytes by fusefire.exe malwarebytes by fusefire.exe regasm.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2668"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2464"C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
932"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exeMalwarebytes by FuseFire.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2284"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
Malwarebytes by FuseFire.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3240"C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe
eventvwr.exe
User:
admin
Integrity Level:
HIGH
3148"C:\Users\admin\AppData\Local\Temp\Malwarebytes by FuseFire.exe" C:\Users\admin\AppData\Local\Temp\Malwarebytes by FuseFire.exe
Malwarebytes by FuseFire.exe
User:
admin
Integrity Level:
HIGH
Description:
Malwarebytes by FuseFire
Exit code:
3762504530
Version:
1.0.0.0
3484"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Malwarebytes by FuseFire.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3204netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLEC:\Windows\system32\netsh.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3088C:\Windows\system32\WerFault.exe -u -p 3148 -s 720C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2344"C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe" C:\Users\admin\Desktop\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 521
Read events
1 415
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\AgileDotNet.VMRuntime.dll
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Colorful.Console.dll
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Hits\Business.txt
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Hits\Business_RAW.txt
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Keys.txt
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Malwarebytes by FuseFire.exe
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\Proxies.txt
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2668.15768\[CRACKED] MALWAREBYTES GEN & CHECKER BY FUSEFIRE v1.5 Latest\RestSharp.dll
MD5:
SHA256:
3088WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Malwarebytes by FuseFire.exe.3148.dmp
MD5:
SHA256:
2068WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Malwarebytes by FuseFire.exe.2432.dmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3484
RegAsm.exe
172.111.154.46:5557
ninja5557.ddns.net
AltusHost B.V.
GB
malicious

DNS requests

Domain
IP
Reputation
ninja5557.ddns.net
  • 172.111.154.46
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info