| File name: | Crypter Algorithme And Splet Hex Server.rar |
| Full analysis: | https://app.any.run/tasks/d4cfacf5-3833-498a-a691-20bddde9432e |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | September 17, 2024, 00:04:04 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 053046D6FD924FA854135777E296B4D5 |
| SHA1: | 815A2E6A5F3117551815D122660D2999EFD7AD37 |
| SHA256: | 6485B78F4E016B16A1147268B6445291CD4442BD6D21FC9C1D7F76E509787BA0 |
| SSDEEP: | 49152:HMTJDTwh53mmocyaTpDZ1C4yI5vx1G924xW90q9EooBUzF97DuaoDjWO5ZpQxugj:mJMmcyQDZB7g9fs90e9oBUzDWVgcbRhM |
MALICIOUS
Create files in the Startup directory
- OneDrive.exe (PID: 5704)
Changes the autorun value in the registry
- OneDrive.exe (PID: 5704)
NjRAT is detected
- OneDrive.exe (PID: 5704)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 6168)
- Hazem pro.exe (PID: 780)
Reads the date of Windows installation
- Hazem pro.exe (PID: 780)
Executable content was dropped or overwritten
- Hazem pro.exe (PID: 780)
- OneDrive.exe (PID: 5704)
Uses NETSH.EXE to add a firewall rule or allowed programs
- OneDrive.exe (PID: 5704)
Connects to unusual port
- OneDrive.exe (PID: 5704)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 6168)
The process uses the downloaded file
- WinRAR.exe (PID: 6168)
- Hazem pro.exe (PID: 780)
Creates files or folders in the user directory
- Hazem pro.exe (PID: 780)
- OneDrive.exe (PID: 5704)
Reads the computer name
- Hazem pro.exe (PID: 780)
- Hazem pro.exe (PID: 5720)
- OneDrive.exe (PID: 5704)
Checks supported languages
- Hazem pro.exe (PID: 780)
- OneDrive.exe (PID: 5704)
- Hazem pro.exe (PID: 5720)
Process checks computer location settings
- Hazem pro.exe (PID: 780)
Reads the machine GUID from the registry
- Hazem pro.exe (PID: 780)
- OneDrive.exe (PID: 5704)
Reads the software policy settings
- slui.exe (PID: 6836)
Reads Environment values
- OneDrive.exe (PID: 5704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
137
Monitored processes
10
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 780 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb6168.26526\Crypter Algorithme And Splet Hex Server\Hazem pro.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb6168.26526\Crypter Algorithme And Splet Hex Server\Hazem pro.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1184 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5704 | "C:\Users\admin\AppData\Roaming\OneDrive.exe" | C:\Users\admin\AppData\Roaming\OneDrive.exe | Hazem pro.exe | ||||||||||||
User: admin Company: كس اختك هههه Integrity Level: MEDIUM Description: OneDrive Version: 9.5.4.2 Modules
| |||||||||||||||
| 5720 | "C:\Users\admin\AppData\Roaming\Hazem pro.exe" | C:\Users\admin\AppData\Roaming\Hazem pro.exe | — | Hazem pro.exe | |||||||||||
User: admin Company: Hazem crypter 2015 Integrity Level: MEDIUM Description: Hazem crypter 2015 Version: 1.0.0.0 Modules
| |||||||||||||||
| 6168 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Crypter Algorithme And Splet Hex Server.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 6836 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6912 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6968 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6980 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\OneDrive.exe" "OneDrive.exe" ENABLE | C:\Windows\System32\netsh.exe | — | OneDrive.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 519
Read events
4 424
Write events
95
Delete events
0
Modification events
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Crypter Algorithme And Splet Hex Server.rar | |||
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (6168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5704) OneDrive.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 5f137ae7d0d66d9b5cded8a570234747 |
Value: "C:\Users\admin\AppData\Roaming\OneDrive.exe" .. | |||
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6168 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb6168.26526\Crypter Algorithme And Splet Hex Server\Hazem pro.exe | executable | |
MD5:9D399494A5EDAB7861687DB8301165EE | SHA256:21A76A566962C21072555E4BB5121349968CA8E5A4A459B8C628F50BE8EDB549 | |||
| 5704 | OneDrive.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f137ae7d0d66d9b5cded8a570234747.exe | executable | |
MD5:3BB4BCF94CBDC788E8F6CF4D38BE466F | SHA256:96A4A6B8B82EACB3F6E6735462A13A79F24237A78FE40158C36F7271BA232347 | |||
| 780 | Hazem pro.exe | C:\Users\admin\AppData\Roaming\Hazem pro.exe | executable | |
MD5:B896198C117A77A965F3B6A5D1D58F3D | SHA256:51136630C2CFF9F8FCE660C89A5A81409AD6FDDFEBCC5FEFDFAEA21040FA020B | |||
| 780 | Hazem pro.exe | C:\Users\admin\AppData\Roaming\OneDrive.exe | executable | |
MD5:3BB4BCF94CBDC788E8F6CF4D38BE466F | SHA256:96A4A6B8B82EACB3F6E6735462A13A79F24237A78FE40158C36F7271BA232347 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
34
DNS requests
18
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6416 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7056 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4824 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4824 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7056 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6552 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
7056 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7056 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3260 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6416 | svchost.exe | 40.126.31.71:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
maestro49.ddns.net |
| malicious |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
2256 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |