analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CS01.vbs

Full analysis: https://app.any.run/tasks/4c5f036b-3695-40df-bdd7-c60ac42154c3
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 15:50:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

FD73EAD430FDE52DE84CCCB80CAAAC7F

SHA1:

5335442CF6A673C16F535286B8AE8072FF45E78C

SHA256:

61C96CDB88877B3C737A1022BB6355E8489D2CC2019ECBCC15BE978186552174

SSDEEP:

1536:dnP1KoEdCWa70loE39HBYdFl4ic1AGUGOh8gOpKEyecWOaHXmMTDnqzDq1vh9Kdx:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • WScript.exe (PID: 2944)
      • regsvr32.exe (PID: 2628)

    • Writes to a start menu file

      • WScript.exe (PID: 2944)
      • MSBUILD.EXE (PID: 3900)

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2944)

    • Application was dropped or rewritten from another process

      • MSBUILD.EXE (PID: 3900)

    • Connects to CnC server

      • MSBUILD.EXE (PID: 3900)

    • NJRAT was detected

      • MSBUILD.EXE (PID: 3900)

    • Changes the autorun value in the registry

      • MSBUILD.EXE (PID: 3900)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2944)
      • MSBUILD.EXE (PID: 3900)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2944)
      • MSBUILD.EXE (PID: 3900)

    • Uses NETSH.EXE for network configuration

      • MSBUILD.EXE (PID: 3900)

    • Connects to unusual port

      • MSBUILD.EXE (PID: 3900)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2392)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe regsvr32.exe no specs #NJRAT msbuild.exe netsh.exe no specs winword.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\CS01.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2628"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\admin\AppData\Local\Temp\sasasor.vbs.BIN"C:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3900"C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE"C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
2.0.50727.5420 built by: Win7SP1
3824netsh firewall add allowedprogram "C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE" "MSBUILD.EXE" ENABLEC:\Windows\system32\netsh.exeMSBUILD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2392"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\associatesmortgage.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3148"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 052
Read events
813
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2392WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR375E.tmp.cvr
MD5:
SHA256:
2392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C10872F5-F8DB-4190-8568-A9B5E96A2D08}.tmp
MD5:
SHA256:
2392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D5859625-981B-46D6-9DC4-FE42F4433F7D}.tmp
MD5:
SHA256:
2392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E28831DBF8113BB11CC8B91859291AA8
SHA256:814DABAE91BE2371C7620B871758ABF600B2A5F106375327B682226F4C3175D1
3900MSBUILD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68ba45dadc1288290b303cf114eeb1fe.exeexecutable
MD5:1F13CD7F1ECB2A7BCC1FF5E287B7EB2E
SHA256:6ADC88FC0A0E108851909618442C03F57CDFC20F6DB4EE88B84C0CAF420F991F
2392WINWORD.EXEC:\Users\admin\Desktop\~$sociatesmortgage.rtfpgc
MD5:9D0BCBC5412C735C86B780B18945B8E2
SHA256:24EE4413731C8CD6BA25F57669DE5A705A957FB82A78CBB2D72F5C33E88E0067
2944WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sasasor.vbs.vbstext
MD5:FD73EAD430FDE52DE84CCCB80CAAAC7F
SHA256:61C96CDB88877B3C737A1022BB6355E8489D2CC2019ECBCC15BE978186552174
2392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:763A5D51E041B87E254509621B5DF0EB
SHA256:DF68207FCD4531C413DF5C78B43094B0D3111B0C2EDD662B8686321C9BA06DAB
2392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\associatesmortgage.rtf.LNKlnk
MD5:78B39CD4096C0CEE56F8502D3E6743B3
SHA256:A7ABB6D7303B0907CB14BF175A9232C732678978E79C3EAEC013B810AB66E2D9
2944WScript.exeC:\Users\admin\AppData\Local\Temp\sasasor.vbs.BINexecutable
MD5:E0B8DFD17B8E7DE760B273D18E58B142
SHA256:4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3900
MSBUILD.EXE
23.227.201.158:3047
Swiftway Sp. z o.o.
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3900
MSBUILD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] njRAT.Gen RAT outbound connection
3900
MSBUILD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] njRAT.Gen RAT outbound connection
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CS01.vbs