File name:

Keygen Xdecoder.exe

Full analysis: https://app.any.run/tasks/61a1f201-31bc-4d82-922f-6f8fe2b5fede
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: October 08, 2023, 19:20:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A26AFC4B230CDE67DEC5E341AEF0E90F

SHA1:

F5A7A08BBD039184C3E89F4EA4EF5EEB392B5FA1

SHA256:

567C4101AA7AD812B7BD42D87A5BA7D9C4F82DD7096DAA7B079CFA70649DEC2E

SSDEEP:

98304:aoA0Bl+S3HvHV/xpGL63VIPPzeb75h3G9wVLWrKtOzf8rTtZbDoGyLBIjxiDNU71:MlA6Mb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Keygen Xdecoder.exe (PID: 1648)
      • paylod.exe (PID: 3272)

    • Create files in the Startup directory

      • paylod.exe (PID: 3272)

    • Application was dropped or rewritten from another process

      • paylod.exe (PID: 3272)
      • Keygen (2).exe (PID: 2636)

    • NJRAT was detected

      • paylod.exe (PID: 3272)

    • Connects to the CnC server

      • paylod.exe (PID: 3272)

    • Changes the autorun value in the registry

      • paylod.exe (PID: 3272)

    • NJRAT has been detected (YARA)

      • paylod.exe (PID: 3272)

  • SUSPICIOUS

    • Connects to unusual port

      • paylod.exe (PID: 3272)

    • Reads the Internet Settings

      • Keygen Xdecoder.exe (PID: 1648)

  • INFO

    • Reads the machine GUID from the registry

      • Keygen Xdecoder.exe (PID: 1648)
      • paylod.exe (PID: 3272)

    • Checks supported languages

      • Keygen Xdecoder.exe (PID: 1648)
      • paylod.exe (PID: 3272)
      • Keygen (2).exe (PID: 2636)

    • Reads the computer name

      • Keygen Xdecoder.exe (PID: 1648)
      • paylod.exe (PID: 3272)

    • Create files in a temporary directory

      • Keygen Xdecoder.exe (PID: 1648)

    • Creates files or folders in the user directory

      • paylod.exe (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(3272) paylod.exe
C2ecutuning.ddns.net
Ports11560
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows
Splitter|-F-|
Versionnull
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:06:10 10:39:38+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 5120
InitializedDataSize: 27136
UninitializedDataSize: -
EntryPoint: 0x9367bc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: data.exe
LegalCopyright:
OriginalFileName: data.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 3.5.2.4
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start keygen xdecoder.exe no specs keygen (2).exe no specs #NJRAT paylod.exe

Process information

PID
CMD
Path
Indicators
Parent process
1648"C:\Users\admin\AppData\Local\Temp\Keygen Xdecoder.exe" C:\Users\admin\AppData\Local\Temp\Keygen Xdecoder.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\keygen xdecoder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2636"C:\Users\admin\AppData\Local\Temp\Keygen (2).exe" C:\Users\admin\AppData\Local\Temp\Keygen (2).exeKeygen Xdecoder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\keygen (2).exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3272"C:\Users\admin\AppData\Local\Temp\paylod.exe" C:\Users\admin\AppData\Local\Temp\paylod.exe
Keygen Xdecoder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\paylod.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
NjRat
(PID) Process(3272) paylod.exe
C2ecutuning.ddns.net
Ports11560
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows
Splitter|-F-|
Versionnull
Total events
1 508
Read events
1 451
Write events
57
Delete events
0

Modification events

(PID) Process:(1648) Keygen Xdecoder.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1648) Keygen Xdecoder.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1648) Keygen Xdecoder.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1648) Keygen Xdecoder.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3272) paylod.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
Executable files
4
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1648Keygen Xdecoder.exeC:\Users\admin\AppData\Local\Temp\paylod.exeexecutable
MD5:E6149ED0CDF7E22AAA3C79DFC7150900
SHA256:B107529CCC4A4AD32AB1BD60EF6AE6B1CEBC5E5252C0A6CD53A0CF6028E346D2
3272paylod.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exeexecutable
MD5:E6149ED0CDF7E22AAA3C79DFC7150900
SHA256:B107529CCC4A4AD32AB1BD60EF6AE6B1CEBC5E5252C0A6CD53A0CF6028E346D2
3272paylod.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkbinary
MD5:EADDF8DD7CEEFFF2DE8B265970ADD314
SHA256:8920494EA918C0D1D4CA61C94211ECC84F7504D1C6310E85A1F1942E52452218
3272paylod.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkbinary
MD5:0BBF8B5C7BB547288F77898FEBE53999
SHA256:0494B3C5ED0E3D4AE9D8659A8D46DFA4B5D78D8A4287DDFE4AA00CDE2B978FFE
3272paylod.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeexecutable
MD5:E6149ED0CDF7E22AAA3C79DFC7150900
SHA256:B107529CCC4A4AD32AB1BD60EF6AE6B1CEBC5E5252C0A6CD53A0CF6028E346D2
1648Keygen Xdecoder.exeC:\Users\admin\AppData\Local\Temp\Keygen (2).exeexecutable
MD5:91B154D347D471B16C0662F071828792
SHA256:83F395011AADF443178DC7FDFB4857A61872AB46F7D2EAC68905632965706042
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
3272
paylod.exe
105.105.68.11:11560
ecutuning.ddns.net
Telecom Algeria
DZ
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
ecutuning.ddns.net
  • 105.105.68.11
malicious

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1088
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
3272
paylod.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Keygen Xdecoder.exe