File name: | Marshmello.rar |
Full analysis: | https://app.any.run/tasks/a0b78011-05f2-4fa9-96b2-56aa91c218d4 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | May 30, 2020, 11:13:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 44D267BB15857754D8D2F5DBE72F8F28 |
SHA1: | 172C6B8794B140557B837AAA8EEACAD32FD31571 |
SHA256: | 775FBBE8511A32A27B21BA56720DD465418DAA82025B854AAC121D96558611F8 |
SSDEEP: | 196608:Txf6KBDauq5EVQ4IhEAYmZR7TWaY91+Tvr+miIXwkq/WLGkeM:dfRUDuTMCmZRnOCTvr+qgkquao |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3012 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Marshmello.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
2628 | "C:\Users\admin\Desktop\Marshmello\Synapse Loader.exe" | C:\Users\admin\Desktop\Marshmello\Synapse Loader.exe | explorer.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
3040 | "C:\Users\admin\Desktop\Marshmello\._cache_Synapse Loader.exe" | C:\Users\admin\Desktop\Marshmello\._cache_Synapse Loader.exe | Synapse Loader.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: WindowsFormsApplication1 Exit code: 1 Version: 1.0.0.0 Modules
| |||||||||||||||
3708 | "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate | C:\ProgramData\Synaptics\Synaptics.exe | Synapse Loader.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: HIGH Description: Synaptics Pointing Device Driver Version: 1.0.0.4 Modules
| |||||||||||||||
3984 | "C:\Users\admin\Desktop\Marshmello\Synapse 3.0.exe" | C:\Users\admin\Desktop\Marshmello\Synapse 3.0.exe | — | ._cache_Synapse Loader.exe | |||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
3500 | "C:\Users\admin\Desktop\Marshmello\._cache_Synapse 3.0.exe" | C:\Users\admin\Desktop\Marshmello\._cache_Synapse 3.0.exe | — | Synapse 3.0.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: WpfApplication2 Exit code: 0 Version: 1.0.0.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\._cache_Synapse 3.0.exe | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\._cache_Synapse Loader.exe | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\auth\Auth.ini | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\auth\Auto Attach.ini | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\auth\Imgui.ini | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\bin\._cache_Mob Console.exe | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\bin\D43AF3B6B0DD2408.bin | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\bin\Lua.xshd | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\bin\Mob Console.exe | — | |
MD5:— | SHA256:— | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.9421\Marshmello\ICSharpCode.AvalonEdit.dll | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3708 | Synaptics.exe | GET | 200 | 172.217.22.35:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3708 | Synaptics.exe | GET | 200 | 204.140.20.21:80 | http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 | US | text | 31 b | whitelisted |
3708 | Synaptics.exe | GET | 200 | 172.217.22.35:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEBqGiw2vm8c0CAAAAAA%2BvZc%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3040 | ._cache_Synapse Loader.exe | 104.23.99.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
3040 | ._cache_Synapse Loader.exe | 162.159.133.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
3708 | Synaptics.exe | 101.86.170.36:1199 | xred.mooo.com | China Telecom (Group) | CN | suspicious |
3708 | Synaptics.exe | 204.140.20.21:80 | freedns.afraid.org | Datacate Inc. | US | malicious |
3708 | Synaptics.exe | 172.217.22.35:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3708 | Synaptics.exe | 172.217.23.142:443 | docs.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
xred.mooo.com |
| suspicious |
cdn.discordapp.com |
| shared |
freedns.afraid.org |
| whitelisted |
docs.google.com |
| shared |
ocsp.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com |
3708 | Synaptics.exe | A Network Trojan was detected | SPYWARE [PTsecurity] njRat style IP-Check |