analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NjRat.0.7D.Green.Edition.zip

Full analysis: https://app.any.run/tasks/3fe9a43f-f22b-4fa4-83a0-4cfb58f46a3f
Verdict: Malicious activity
Analysis date: March 12, 2023, 11:01:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
securityxploded
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

24CDBAC5F3AB2AF691F1AD71C8354B29

SHA1:

8BBA6F29F8BFDB9328B0198890F5445584431E03

SHA256:

55E286565012CBE753A6A3083933F31BAAA7F50695B3774F0882311A4ACA6F8B

SSDEEP:

98304:z91Hn80y/7KQyW4TGHYIHPODUhfxFsEP6kyXvFyXCAm+08M:zjHG7KQ74WHhdSkyf6C9+2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NjRat 0.7D Green Edition by im523.exe (PID: 3280)
      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • Drops the executable file immediately after the start

      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • SecurityXploded is detected

      • WinRAR.exe (PID: 2712)

  • SUSPICIOUS

    • Reads the Internet Settings

      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • Drops a file with too old compile date

      • NjRat 0.7D Green Edition.exe (PID: 2888)

  • INFO

    • Checks supported languages

      • NjRat 0.7D Green Edition.exe (PID: 2888)
      • NjRat 0.7D Green Edition by im523.exe (PID: 3280)
      • dw20.exe (PID: 4040)

    • Manual execution by a user

      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • Reads the computer name

      • NjRat 0.7D Green Edition.exe (PID: 2888)
      • NjRat 0.7D Green Edition by im523.exe (PID: 3280)
      • dw20.exe (PID: 4040)

    • The process checks LSA protection

      • NjRat 0.7D Green Edition by im523.exe (PID: 3280)
      • NjRat 0.7D Green Edition.exe (PID: 2888)
      • dw20.exe (PID: 4040)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2712)
      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2712)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2712)

    • Create files in a temporary directory

      • NjRat 0.7D Green Edition.exe (PID: 2888)

    • Reads the machine GUID from the registry

      • NjRat 0.7D Green Edition by im523.exe (PID: 3280)
      • dw20.exe (PID: 4040)

    • Creates files or folders in the user directory

      • dw20.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:10:23 14:50:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: nj_users/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start #SECURITYXPLODED winrar.exe njrat 0.7d green edition.exe njrat 0.7d green edition by im523.exe dw20.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NjRat.0.7D.Green.Edition.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
2888"C:\Users\admin\Desktop\a\NjRat 0.7D Green Edition.exe" C:\Users\admin\Desktop\a\NjRat 0.7D Green Edition.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\a\njrat 0.7d green edition.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
3280"C:\Users\admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe" C:\Users\admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
NjRat 0.7D Green Edition.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NjRat 0.7D Green Edition by im523
Exit code:
3762507597
Version:
0.0.0.7
Modules
Images
c:\users\admin\appdata\local\temp\njrat 0.7d green edition by im523.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
4040dw20.exe -x -s 676C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeNjRat 0.7D Green Edition by im523.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
3 858
Read events
3 804
Write events
54
Delete events
0

Modification events

(PID) Process:(2712) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
20
Suspicious files
2
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
4040dw20.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_ARLL22EYCOOR4NJS_56ffd2ec7cd0f75230f6e43e165515da504bd686_0fedc446\Report.wer
MD5:
SHA256:
2888NjRat 0.7D Green Edition.exeC:\Users\admin\AppData\Local\Temp\123.exeexecutable
MD5:741D1CC5ABDB52CDB1D45CAFA1B6DC83
SHA256:37BD541CAE5AF310271653043FD6EC0EACAE76DDFF8DDEB9898257A0C97BFC79
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\NjRat 0.7D Green Edition.exeexecutable
MD5:FE881D85467D440D0E4136C2CE47A8CC
SHA256:42EBCAC08F5CFB396E879211F1BE563FE803CB3BB1A84B7BED4611BB565A97EA
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\Plugin\plg.dllexecutable
MD5:0CBC2D9703FEEAD9783439E551C2B673
SHA256:EA9ECF8723788FEEF6492BF938CDFAB1266A1558DFFE75E1F78A998320F96E39
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\Stub.manifestxml
MD5:4D18AC38A92D15A64E2B80447B025B7E
SHA256:835A00D6E7C43DB49AE7B3FA12559F23C2920B7530F4D3F960FD285B42B1EFB5
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\nj_users\VM-РџРљ_vm_602F4037\Keylog.rtftext
MD5:92122DA996C66CBD51D8C6EA868739C5
SHA256:9A27937010FA2BE4C9F3634FEE0BF20CBDEB64BC7141AB1BEDA02C06DE27F869
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\Plugin\pw.dllexecutable
MD5:872401528FC94C90F3DE6658E776CC36
SHA256:3A1CC072EFFD8C38406A6FDDF4D8F49C5366BB0E32071311D90DB669940987CE
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\Plugin\cam.dllexecutable
MD5:A73EDB60B80A2DFA86735D821BEA7B19
SHA256:7A4977B024D048B71BCC8F1CC65FB06E4353821323F852DC6740B79B9AB75C98
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\nj_users\XTREME-HPHU46T6_Администратор_EE0C994\Keylog.rtftext
MD5:890CBD4ACF6BA3B475F59BF3D583DA83
SHA256:C1534AF7F44D83C419A261E90F1B226FD26171A3A55A494BC831006F9474AD5B
2712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2712.37671\GeoIP.datbinary
MD5:797B96CC417D0CDE72E5C25D0898E95E
SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NjRat.0.7D.Green.Edition.zip