analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

mta.rar

Full analysis: https://app.any.run/tasks/c3e097ba-e41e-4d94-92cc-598e8b3b12ab
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: March 31, 2023, 21:53:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

85C690A940EBE4FAF66452A10EF20CB8

SHA1:

FE111328DBD9A07F6511CBD78C3BF030C369437D

SHA256:

43AE67F3D7AD97327C5B77AA18B7E80804B16F5EECE3792FC963AC07B60E4DCF

SSDEEP:

384:kPPtZEdfJM0xkS5LbvA10FXqFgd6V1Wwxfb86owT/k0muCJO0e/:kPPrGBM3S5LLAyqFgd6V1VjbT/k02pe/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • mta.exe (PID: 3488)
    • Create files in the Startup directory

      • mta.exe (PID: 3488)
    • NjRAT is detected

      • mta.exe (PID: 3488)
    • Changes the autorun value in the registry

      • mta.exe (PID: 3488)
    • NJRAT was detected

      • mta.exe (PID: 3488)
    • Connects to the CnC server

      • mta.exe (PID: 3488)
    • NJRAT detected by memory dumps

      • mta.exe (PID: 3488)
    • Starts CMD.EXE for self-deleting

      • mta.exe (PID: 3488)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mta.exe (PID: 3488)
    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • mta.exe (PID: 3488)
    • Connects to unusual port

      • mta.exe (PID: 3488)
    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • mta.exe (PID: 3488)
    • Starts CMD.EXE for commands execution

      • mta.exe (PID: 3488)
  • INFO

    • The process checks LSA protection

      • netsh.exe (PID: 3756)
      • mta.exe (PID: 3488)
      • netsh.exe (PID: 3464)
      • wmpnscfg.exe (PID: 3232)
    • Checks supported languages

      • mta.exe (PID: 3488)
      • wmpnscfg.exe (PID: 3232)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1900)
    • Creates files or folders in the user directory

      • mta.exe (PID: 3488)
    • Reads the machine GUID from the registry

      • mta.exe (PID: 3488)
      • wmpnscfg.exe (PID: 3232)
    • Reads the computer name

      • mta.exe (PID: 3488)
      • wmpnscfg.exe (PID: 3232)
    • Reads Environment values

      • mta.exe (PID: 3488)
    • Manual execution by a user

      • wmpnscfg.exe (PID: 3232)
    • [YARA] Firewall manipulation strings were found

      • mta.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(3488) mta.exe
Versionim523
Options
Splitter|'|'|
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\edaab890a6da9d9cf96cc12743e7184b
BotnetHacKed
Ports24308
C2147.185.221.181
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe #NJRAT mta.exe netsh.exe no specs wmpnscfg.exe no specs netsh.exe no specs cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\mta.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\comdlg32.dll
3488"C:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\mta.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\mta.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1900.12174\mta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
NjRat
(PID) Process(3488) mta.exe
Versionim523
Options
Splitter|'|'|
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\edaab890a6da9d9cf96cc12743e7184b
BotnetHacKed
Ports24308
C2147.185.221.181
3756netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\mta.exe" "mta.exe" ENABLEC:\Windows\System32\netsh.exemta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3232"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3464netsh firewall delete allowedprogram "C:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\mta.exe"C:\Windows\System32\netsh.exemta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3540cmd.exe /k ping 0 & del "C:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\mta.exe" & exitC:\Windows\System32\cmd.exemta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3824ping 0 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
Total events
5 152
Read events
4 906
Write events
236
Delete events
10

Modification events

(PID) Process:(1900) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
4
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\dperg.dlltext
MD5:93D60CDB609EB7A8AC3EF82659115953
SHA256:96C533122EAD93684A2CF72C210108DD1CE75A2710F81106599606FF66D65898
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\esp.dlltext
MD5:93D60CDB609EB7A8AC3EF82659115953
SHA256:96C533122EAD93684A2CF72C210108DD1CE75A2710F81106599606FF66D65898
3488mta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edaab890a6da9d9cf96cc12743e7184b.exeexecutable
MD5:4CE5FC74F267973ED3AB8FEC01F433CE
SHA256:C73D9C274B2F4CA33CBAF10B24862056531E3B36B181E5CB3218618EEDD76C7A
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\mta.exeexecutable
MD5:4CE5FC74F267973ED3AB8FEC01F433CE
SHA256:C73D9C274B2F4CA33CBAF10B24862056531E3B36B181E5CB3218618EEDD76C7A
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1900.12174\aimdr.dlltext
MD5:93D60CDB609EB7A8AC3EF82659115953
SHA256:96C533122EAD93684A2CF72C210108DD1CE75A2710F81106599606FF66D65898
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3488
mta.exe
147.185.221.181:24308
PLAYIT-GG
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3488
mta.exe
Unknown Classtype
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
2 ETPRO signatures available at the full report
No debug info