| File name: | .exe |
| Full analysis: | https://app.any.run/tasks/55ce916e-a985-414d-b337-07b375032a64 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | March 24, 2025, 14:47:40 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | C765DD8A420FA5C8DED87227CC0BBE44 |
| SHA1: | 85A77938CB84DCF5E446B1EB6DC274B2709E7F92 |
| SHA256: | 4944CAE1682A2298A6DAB4FD675158632BEE27FEEE6B48D753719755522937C4 |
| SSDEEP: | 768:+Dl5aDNWb9rCSY4okaAl3uiokbS2agD5PvT2XXJdxIEpmc:+DKchC0DokkgDCX3xIEpmc |
MALICIOUS
NJRAT has been detected (SURICATA)
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
NjRAT is detected
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
Connects to the CnC server
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
NJRAT has been detected (YARA)
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
SUSPICIOUS
Connects to unusual port
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
Contacting a server suspected of hosting an CnC
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
There is functionality for taking screenshot (YARA)
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
INFO
Reads the machine GUID from the registry
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
Checks supported languages
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
Reads the software policy settings
- slui.exe (PID: 8144)
Reads the computer name
- 55ce916e-a985-414d-b337-07b375032a64.exe (PID: 7780)
Checks proxy server information
- slui.exe (PID: 8144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(7780) 55ce916e-a985-414d-b337-07b375032a64.exe
C2approach-trembl.gl.at.ply.gg
Ports60000
BotnetVictim
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\21ccc5c1344d0304afc80ec3c310da24
SplitterY262SUCZ4UJJ
Version<- NjRAT 0.7d Horror Edition ->
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (45.7) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (19.4) |
| .exe | | | Win64 Executable (generic) (17.2) |
| .scr | | | Windows screen saver (8.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:24 14:31:03+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 53760 |
| InitializedDataSize: | 1536 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xf03e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
122
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7780 | "C:\Users\admin\Desktop\55ce916e-a985-414d-b337-07b375032a64.exe" | C:\Users\admin\Desktop\55ce916e-a985-414d-b337-07b375032a64.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
NjRat(PID) Process(7780) 55ce916e-a985-414d-b337-07b375032a64.exe C2approach-trembl.gl.at.ply.gg Ports60000 BotnetVictim Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\21ccc5c1344d0304afc80ec3c310da24 SplitterY262SUCZ4UJJ Version<- NjRAT 0.7d Horror Edition -> | |||||||||||||||
| 8144 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 039
Read events
4 030
Write events
9
Delete events
0
Modification events
| (PID) Process: | (7780) 55ce916e-a985-414d-b337-07b375032a64.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | SEE_MASK_NOZONECHECKS |
Value: 1 | |||
| (PID) Process: | (7780) 55ce916e-a985-414d-b337-07b375032a64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\21ccc5c1344d0304afc80ec3c310da24 |
| Operation: | write | Name: | [kl] |
Value: | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
4
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7780 | 55ce916e-a985-414d-b337-07b375032a64.exe | 147.185.221.16:60000 | approach-trembl.gl.at.ply.gg | PLAYIT-GG | US | malicious |
7440 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8144 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
approach-trembl.gl.at.ply.gg |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg) |
2196 | svchost.exe | Misc activity | ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg) |
2196 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
7780 | 55ce916e-a985-414d-b337-07b375032a64.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
7780 | 55ce916e-a985-414d-b337-07b375032a64.exe | Malware Command and Control Activity Detected | BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll |
7780 | 55ce916e-a985-414d-b337-07b375032a64.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
7780 | 55ce916e-a985-414d-b337-07b375032a64.exe | Malware Command and Control Activity Detected | BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll |