analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NjRat 0.7D Original.zip

Full analysis: https://app.any.run/tasks/a650c75d-fcbc-4e1d-b440-e8ef94a105f0
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: November 16, 2019, 12:04:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

11241DF31EF43FCF87B2AAAC9BEE8E3F

SHA1:

F65CCB1C9EACE279E75B0AFC4B07F4F2D287F98E

SHA256:

5DE4D558D0A0FD47A63BE59A454CC6C7E20931FFC555CF0B9F8208F7614C00D0

SSDEEP:

24576:MPUTdAxl7MtTB+0effocgIWXOy5mXMwA8Gq8pBn974iaMGHKhyAUK:Ms2D7Mv+0efhgIGmfA8H8p/74w8ru

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • njRAT v0.7d.exe (PID: 2812)
      • Server.exe (PID: 1528)
      • server.exe (PID: 2888)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3488)
      • njRAT v0.7d.exe (PID: 2812)

    • Writes to a start menu file

      • server.exe (PID: 2888)

    • Changes the autorun value in the registry

      • server.exe (PID: 2888)

    • NJRAT was detected

      • server.exe (PID: 2888)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2168)
      • ilasm.exe (PID: 3812)
      • njRAT v0.7d.exe (PID: 2812)
      • Server.exe (PID: 1528)
      • server.exe (PID: 2888)

    • Starts itself from another location

      • Server.exe (PID: 1528)

    • Uses NETSH.EXE for network configuration

      • server.exe (PID: 2888)

    • Creates files in the user directory

      • server.exe (PID: 2888)

  • INFO

    • Manual execution by user

      • mspaint.exe (PID: 716)
      • njRAT v0.7d.exe (PID: 2812)
      • Server.exe (PID: 1528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2019:11:11 14:35:24
ZipCRC: 0x00000000
ZipCompressedSize: 2
ZipUncompressedSize: -
ZipFileName: NjRat 0.7D Original/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs mspaint.exe no specs njrat v0.7d.exe ilasm.exe server.exe #NJRAT server.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NjRat 0.7D Original.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3488"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
716"C:\Windows\system32\mspaint.exe" C:\Windows\system32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2812"C:\Users\admin\Desktop\NjRat 0.7D Original\njRAT v0.7d.exe" C:\Users\admin\Desktop\NjRat 0.7D Original\njRAT v0.7d.exe
explorer.exe
User:
admin
Company:
njq8
Integrity Level:
MEDIUM
Description:
njRAT
Version:
0.7.0.0
3812"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\admin\AppData\Local\Temp\stub.il" /output:"C:\Users\admin\Desktop\NjRat 0.7D Original\Server.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
njRAT v0.7d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework IL assembler
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
1528"C:\Users\admin\Desktop\NjRat 0.7D Original\Server.exe" C:\Users\admin\Desktop\NjRat 0.7D Original\Server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2888"C:\Users\admin\AppData\Local\Temp\server.exe" C:\Users\admin\AppData\Local\Temp\server.exe
Server.exe
User:
admin
Integrity Level:
MEDIUM
3976netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLEC:\Windows\system32\netsh.exeserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 087
Read events
1 751
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3812ilasm.exeC:\Users\admin\Desktop\NjRat 0.7D Original\Server.pdb
MD5:
SHA256:
2812njRAT v0.7d.exeC:\Users\admin\Desktop\NjRat 0.7D Original\RCXE020.tmp
MD5:
SHA256:
3812ilasm.exeC:\Users\admin\Desktop\NjRat 0.7D Original\Server.exeexecutable
MD5:674A1B8B78F789851306D2CE2F05E5E3
SHA256:6299888EEDB331E56D41BE71385155DF793425592971E0549B91525BE3AE6FA7
2812njRAT v0.7d.exeC:\Users\admin\Desktop\NjRat 0.7D Original\Server.exeexecutable
MD5:674A1B8B78F789851306D2CE2F05E5E3
SHA256:6299888EEDB331E56D41BE71385155DF793425592971E0549B91525BE3AE6FA7
1528Server.exeC:\Users\admin\AppData\Local\Temp\server.exeexecutable
MD5:674A1B8B78F789851306D2CE2F05E5E3
SHA256:6299888EEDB331E56D41BE71385155DF793425592971E0549B91525BE3AE6FA7
2888server.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exeexecutable
MD5:674A1B8B78F789851306D2CE2F05E5E3
SHA256:6299888EEDB331E56D41BE71385155DF793425592971E0549B91525BE3AE6FA7
2812njRAT v0.7d.exeC:\Users\admin\AppData\Local\Temp\stub.iltext
MD5:87598F809D14C8BA5D1EA278F4A4A2A1
SHA256:9F027F96413549967DBCD2199DC39AE123D8A8E20C80F7E287B42EA355AE006D
2168WinRAR.exeC:\Users\admin\Desktop\NjRat 0.7D Original\Plugin\pw.dllexecutable
MD5:DB87DAF76C15F3808CEC149F639AA64F
SHA256:A3E4BEE1B6944AA9266BD58DE3F534A4C1896DF621881A5252A0D355A6E67C70
2168WinRAR.exeC:\Users\admin\Desktop\NjRat 0.7D Original\GeoIP.datbinary
MD5:797B96CC417D0CDE72E5C25D0898E95E
SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426
2168WinRAR.exeC:\Users\admin\Desktop\NjRat 0.7D Original\Plugin\sc2.dllexecutable
MD5:19967E886EDCD2F22F8D4A58C8EA3773
SHA256:3E5141C75B7746C0EB2B332082A165DEACB943CEF26BD84668E6B79B47BDFD93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NjRat 0.7D Original.zip