File name: | FW_ Запит.eml |
Full analysis: | https://app.any.run/tasks/b1d74a9b-e248-44e0-8b6a-9b7c90dd3111 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | July 17, 2019, 06:46:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators |
MD5: | B4EB8641C1D1B8EBFD113ABD42944614 |
SHA1: | 740364E2624D91A45C29F861ABE003371020082E |
SHA256: | 57078B099919200470728D9E5C3FEADFE8281615753F9BBEB4AFB25414098124 |
SSDEEP: | 1536:UgXgfeDDyu/edhh5NgtdduvFMER6fqeOjM+jiNgtV9tuu4jyJY9d6ZT+h7DM:clgdmMER6ieOUu4jyJYfy+a |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3888 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\FW_ Запит.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
952 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WDRI0HMC\Запит клієнта.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
4040 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1516 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3696 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | EQNEDT32.EXE | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3036 | C:\Users\admin\AppData\Roaming\4721263.exe | C:\Users\admin\AppData\Roaming\4721263.exe | — | EQNEDT32.EXE |
User: admin Company: http://zenden.ws Integrity Level: MEDIUM Description: To Slur Icn Exit code: 0 Version: 197.572.224.492 | ||||
3096 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 4721263.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3312 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | 4721263.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3792 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 4721263.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3548 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 4721263.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3888 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF695.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3888 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WDRI0HMC\Запит клієнта (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7EE0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_6BBE96E4-173A-48B7-A925-B8B3355623BE.0\F494BFC5.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
4040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_6BBE96E4-173A-48B7-A925-B8B3355623BE.0\~WRS{6272961A-69D3-4A8C-97EB-EBE10758349B}.tmp | — | |
MD5:— | SHA256:— | |||
4040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_6BBE96E4-173A-48B7-A925-B8B3355623BE.0\~WRF{0345EF79-2A90-42DE-B6C8-BCAAD193F6B5}.tmp | — | |
MD5:— | SHA256:— | |||
3888 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:B44F6E04C2C010E0440389A84764CFB7 | SHA256:7BEA831D476632E09EF2A102E3CA2C56D8936EEBABBB0434845A78665D6AB4F1 | |||
3888 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6E06AE2.dat | image | |
MD5:A35D585387B9A342E12294E3389648C2 | SHA256:BD568B2B457D4FAA3239C10451E003FA7548F6E1BF3489F8D52C8ACE40DB11A5 | |||
3888 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WDRI0HMC\Запит клієнта (2).doc | text | |
MD5:2E352DD74AE1F771B2B6501BEE5752AB | SHA256:40FB06033E15298A38C15580DAA88F81AEB83739DA0E2763F0358B0162D746E9 | |||
3888 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3888 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3888 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3696 | EQNEDT32.EXE | 104.27.143.252:443 | m.put.re | Cloudflare Inc | US | shared |
3312 | RegAsm.exe | 185.247.228.69:1990 | — | — | — | malicious |
3312 | RegAsm.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
m.put.re |
| suspicious |
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3312 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Lime-RAT (Gen.NjRAT) |
3312 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT/Bladabindi (Lime-RAT) |