File name:

njRAT-v0.6.4.zip

Full analysis: https://app.any.run/tasks/a8952620-d2bc-4ecf-a48e-4d95287c3dbb
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: March 07, 2024, 20:09:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

3CCCE9D87CE9EA751ABEA094D1639D0A

SHA1:

427867B229E02869AC68DE3A605998A585AD6A80

SHA256:

5FF121C57E4A2F2F75E4985660C9666A44B39EF2549B29B3A4D6A1E06E6E3F65

SSDEEP:

49152:pmRkTADhN5ulDigt8pri+kxs9/z/pH+3h:pmRulu48p2VU/z/S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4052)
      • njRAT.exe (PID: 2420)
      • njq8.exe (PID: 2792)
      • windows.exe (PID: 1928)

    • NJRAT has been detected (YARA)

      • njRAT.exe (PID: 2420)
      • windows.exe (PID: 1928)

    • Create files in the Startup directory

      • windows.exe (PID: 1928)

    • Changes the autorun value in the registry

      • windows.exe (PID: 1928)

    • NjRAT is detected

      • windows.exe (PID: 1928)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • njRAT.exe (PID: 2420)
      • njq8.exe (PID: 2792)

    • Executable content was dropped or overwritten

      • njRAT.exe (PID: 2420)
      • njq8.exe (PID: 2792)
      • windows.exe (PID: 1928)

    • Reads the Internet Settings

      • njq8.exe (PID: 2792)
      • njRAT.exe (PID: 2420)

    • Starts itself from another location

      • njq8.exe (PID: 2792)

    • Creates file in the systems drive root

      • njRAT.exe (PID: 3180)
      • njRAT.exe (PID: 2420)
      • njq8.exe (PID: 2792)
      • taskmgr.exe (PID: 3980)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • windows.exe (PID: 1928)

  • INFO

    • Checks supported languages

      • njRAT.exe (PID: 2420)
      • njRAT.exe (PID: 3180)
      • windows.exe (PID: 1928)
      • njq8.exe (PID: 2792)

    • Manual execution by a user

      • njRAT.exe (PID: 3956)
      • njRAT.exe (PID: 2420)
      • taskmgr.exe (PID: 3980)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4052)

    • Reads the computer name

      • njRAT.exe (PID: 2420)
      • njq8.exe (PID: 2792)
      • njRAT.exe (PID: 3180)
      • windows.exe (PID: 1928)

    • Reads the machine GUID from the registry

      • njRAT.exe (PID: 2420)
      • njq8.exe (PID: 2792)
      • windows.exe (PID: 1928)
      • njRAT.exe (PID: 3180)

    • Create files in a temporary directory

      • njq8.exe (PID: 2792)
      • windows.exe (PID: 1928)

    • Reads Environment values

      • windows.exe (PID: 1928)

    • Creates files or folders in the user directory

      • windows.exe (PID: 1928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(1928) windows.exe
C2zaaptoo.zapto.org
Ports1177
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20
Splitter|'|'|
Version0.6.4
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2013:09:27 11:10:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: njRAT-v0.6.4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe njrat.exe no specs #NJRAT njrat.exe njq8.exe njrat.exe no specs #NJRAT windows.exe netsh.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1888netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLEC:\Windows\System32\netsh.exewindows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1928"C:\Users\admin\AppData\Local\Temp\windows.exe" C:\Users\admin\AppData\Local\Temp\windows.exe
njq8.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\windows.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
NjRat
(PID) Process(1928) windows.exe
C2zaaptoo.zapto.org
Ports1177
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20
Splitter|'|'|
Version0.6.4
2420"C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe" C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe
explorer.exe
User:
admin
Company:
njq8
Integrity Level:
HIGH
Description:
njRAT
Exit code:
1
Version:
0.6.4.0
Modules
Images
c:\users\admin\desktop\njrat-v0.6.4\njrat-v0.6.4\njrat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2792"C:\njq8.exe" C:\njq8.exe
njRAT.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\njq8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3180"C:\njRAT.exe" C:\njRAT.exenjRAT.exe
User:
admin
Company:
njq8
Integrity Level:
HIGH
Description:
njRAT
Exit code:
1
Version:
0.6.4.0
Modules
Images
c:\njrat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3956"C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe" C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exeexplorer.exe
User:
admin
Company:
njq8
Integrity Level:
MEDIUM
Description:
njRAT
Exit code:
3221226540
Version:
0.6.4.0
Modules
Images
c:\users\admin\desktop\njrat-v0.6.4\njrat-v0.6.4\njrat.exe
c:\windows\system32\ntdll.dll
3980"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4052"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\njRAT-v0.6.4.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
9 639
Read events
8 983
Write events
656
Delete events
0

Modification events

(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\njRAT-v0.6.4.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
13
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\stub.iltext
MD5:1B92496B750A26F2450E34500A2C4215
SHA256:A1B65F18C7E882B1606A4EF9387D8988E6FD755D7D03214B677AD528A487D73A
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\ch.dllexecutable
MD5:1CB8FA647355805F2AE6A7E6BB71B138
SHA256:89A1BBE42CDE01DDFE531D69DD6EA6575296096010400CB63CBF4999ECA52E52
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\cam.dllexecutable
MD5:0A1CA904B3D688C01F4E5FAAE811922B
SHA256:B02C56D29447690CDAFD8F2F6877D526D1F6EFCAAE74017719C460D9B3EE38B8
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\NAudio.dllexecutable
MD5:422193AABD3D62275B2B98470279D9F2
SHA256:CD9709BF1C7396F6FE3684B5177FA0890C706CA82E2B98BA58E8D8383632A3C8
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\pw.dllexecutable
MD5:DB87DAF76C15F3808CEC149F639AA64F
SHA256:A3E4BEE1B6944AA9266BD58DE3F534A4C1896DF621881A5252A0D355A6E67C70
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\fm.dllexecutable
MD5:51C2EE936DED2E55F8BCC8CBA6E3B330
SHA256:F132324ACF09C0562A1CAD1288BFB4021BD991659126D21ECB9499938BF6ACB3
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\sc2.dllexecutable
MD5:BE128028F705B0233DAD7D1F603BDF78
SHA256:D3DCB25F9004F6FCE3F3D94406AD6845D996CDA2F106A203082AED39A84FAC4E
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Stub.manifestxml
MD5:4D18AC38A92D15A64E2B80447B025B7E
SHA256:835A00D6E7C43DB49AE7B3FA12559F23C2920B7530F4D3F960FD285B42B1EFB5
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\GeoIP.datbinary
MD5:797B96CC417D0CDE72E5C25D0898E95E
SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426
4052WinRAR.exeC:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Mono.Cecil.dllexecutable
MD5:851EC9D84343FBD089520D420348A902
SHA256:CDADC26C09F869E21053EE1A0ACF3B2D11DF8EDD599FE9C377BD4D3CE1C9CDA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
zaaptoo.zapto.org
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
njRAT-v0.6.4.zip