analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

XEN 1.0.4 [ FUD Crypter ].rar

Full analysis: https://app.any.run/tasks/d8afadbe-ff6e-4929-b3b6-9128a66d4a54
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: May 29, 2020, 22:17:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
stealer
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

1E8123D9329FB2ED123CED86C5E95DCB

SHA1:

DF7B6D460F19015140AC9ECD38B245D260AA9F07

SHA256:

7A3DAE1FADAD89A3EACC2E79DA5C7D844C083DD272CB13562AD7A3467C1BCED9

SSDEEP:

12288:tQSss2oytmEG2ypoLtfehF4ufg7IBTvp4+4G+iyfReYNT:WSss2oyY72QQtRufg7IBT2+yY2T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • simple server.exe (PID: 3424)
      • XEN Crypter.exe (PID: 3948)
      • XEN Crypter.exe (PID: 3456)
      • XEN Crypter.exe (PID: 3340)
      • windows firewall.exe (PID: 3644)
      • XEN.exe (PID: 2316)
      • Server3.exe (PID: 2376)
      • Server.exe (PID: 948)
      • Server5.exe (PID: 2852)
      • FUD Server.exe (PID: 4048)
      • Server.exe (PID: 2460)
      • svhost.exe (PID: 3212)
      • svhost5.exe (PID: 2204)
      • svhost3.exe (PID: 4036)
      • WUDFHost.exe (PID: 2312)
      • svhost.exe (PID: 3728)

    • Disables Windows Defender

      • WScript.exe (PID: 2692)
      • WScript.exe (PID: 2240)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3012)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2464)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3240)

    • Loads dropped or rewritten executable

      • vbc.exe (PID: 3240)

    • Stealing of credential data

      • vbc.exe (PID: 3240)

    • NJRAT was detected

      • svhost3.exe (PID: 4036)
      • svhost5.exe (PID: 2204)
      • svhost.exe (PID: 3728)

    • Changes the autorun value in the registry

      • svhost.exe (PID: 3728)
      • svhost5.exe (PID: 2204)
      • svhost3.exe (PID: 4036)

    • Writes to a start menu file

      • svhost.exe (PID: 3728)
      • svhost3.exe (PID: 4036)
      • svhost5.exe (PID: 2204)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • XEN Crypter.exe (PID: 3948)
      • simple server.exe (PID: 3424)
      • XEN Crypter.exe (PID: 3340)
      • XEN.exe (PID: 2316)
      • vbc.exe (PID: 3240)
      • Server.exe (PID: 948)
      • Server5.exe (PID: 2852)
      • Server3.exe (PID: 2376)
      • FUD Server.exe (PID: 4048)
      • svhost3.exe (PID: 4036)
      • svhost5.exe (PID: 2204)
      • svhost.exe (PID: 3728)

    • Starts itself from another location

      • XEN Crypter.exe (PID: 3948)
      • Server3.exe (PID: 2376)
      • Server5.exe (PID: 2852)
      • FUD Server.exe (PID: 4048)

    • Application launched itself

      • WScript.exe (PID: 2088)

    • Executes scripts

      • simple server.exe (PID: 3424)
      • WScript.exe (PID: 3008)
      • XEN.exe (PID: 2316)
      • windows firewall.exe (PID: 3644)
      • WScript.exe (PID: 2088)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2240)
      • WScript.exe (PID: 2692)

    • Creates files in the user directory

      • XEN.exe (PID: 2316)
      • vbc.exe (PID: 3240)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 3596)
      • powershell.exe (PID: 2620)
      • powershell.exe (PID: 956)
      • powershell.exe (PID: 944)
      • powershell.exe (PID: 3940)
      • powershell.exe (PID: 3288)
      • powershell.exe (PID: 2928)
      • powershell.exe (PID: 2744)
      • powershell.exe (PID: 2708)
      • powershell.exe (PID: 3204)
      • powershell.exe (PID: 3984)
      • powershell.exe (PID: 2284)
      • powershell.exe (PID: 2820)
      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 1004)
      • powershell.exe (PID: 3672)
      • powershell.exe (PID: 1344)
      • powershell.exe (PID: 2648)
      • powershell.exe (PID: 3688)
      • powershell.exe (PID: 3980)
      • powershell.exe (PID: 3700)
      • svhost5.exe (PID: 2204)
      • svhost3.exe (PID: 4036)
      • svhost.exe (PID: 3728)

    • Starts CMD.EXE for commands execution

      • XEN.exe (PID: 2316)

    • Reads the cookies of Google Chrome

      • vbc.exe (PID: 3240)

    • Reads the cookies of Mozilla Firefox

      • vbc.exe (PID: 3240)

    • Checks for external IP

      • vbc.exe (PID: 3240)

    • Searches for installed software

      • vbc.exe (PID: 3240)

    • Uses NETSH.EXE for network configuration

      • svhost3.exe (PID: 4036)
      • svhost5.exe (PID: 2204)
      • svhost.exe (PID: 3728)

    • Executed via Task Scheduler

      • WUDFHost.exe (PID: 2312)

  • INFO

    • Manual execution by user

      • XEN Crypter.exe (PID: 3948)
      • XEN Crypter.exe (PID: 3456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
111
Monitored processes
49
Malicious processes
17
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs xen crypter.exe no specs xen crypter.exe xen crypter.exe simple server.exe windows firewall.exe no specs fud server.exe wscript.exe no specs xen.exe server3.exe server5.exe server.exe server.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs vbc.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs #NJRAT svhost3.exe #NJRAT svhost5.exe #NJRAT svhost.exe svhost.exe no specs wudfhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2796"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XEN 1.0.4 [ FUD Crypter ].rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3456"C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe" C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3948"C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe" C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3340"C:\Users\admin\AppData\Local\Temp\XEN Crypter.exe" C:\Users\admin\AppData\Local\Temp\XEN Crypter.exe
XEN Crypter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3424"C:\Users\admin\AppData\Local\Temp\simple server.exe" C:\Users\admin\AppData\Local\Temp\simple server.exe
XEN Crypter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3644"C:\Users\admin\AppData\Local\Temp\windows firewall.exe" C:\Users\admin\AppData\Local\Temp\windows firewall.exeXEN Crypter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
4048"C:\Users\admin\AppData\Local\Temp\FUD Server.exe" C:\Users\admin\AppData\Local\Temp\FUD Server.exe
XEN Crypter.exe
User:
admin
Company:
DB Browser for SQLite Team
Integrity Level:
HIGH
Description:
DB Browser for SQLite
Exit code:
0
Version:
3.11.2.20190403
2088"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\script.vbs" C:\Windows\System32\WScript.exesimple server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2316"C:\Users\admin\AppData\Local\Temp\XEN.exe" C:\Users\admin\AppData\Local\Temp\XEN.exe
XEN Crypter.exe
User:
admin
Integrity Level:
HIGH
Description:
XEN
Version:
1.0.0.0
2376"C:\Users\admin\AppData\Local\Temp\Server3.exe" C:\Users\admin\AppData\Local\Temp\Server3.exe
simple server.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
9 612
Read events
8 019
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
35
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
2796WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2796.48415\XEN 1.0.4 [ FUD Crypter ]\stub.exe
MD5:
SHA256:
2796WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2796.48415\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe
MD5:
SHA256:
3340XEN Crypter.exeC:\Users\admin\AppData\Local\Temp\FUD Server.exeexecutable
MD5:30D3350C9DFAD8434E56BCB554732633
SHA256:01E349A35DF90BF54FB43F03ACE7D5C28EB1AC8B71DF3CA28B626CE5D8DD89B5
3948XEN Crypter.exeC:\Users\admin\AppData\Local\Temp\XEN Crypter.exeexecutable
MD5:5D9CAAAE99A55961AB0CAD0D2F0FE59E
SHA256:5EB7CCBA0DE54645A7D865218AE37EDE6BE05DE22E989062F008392410AD75D0
2316XEN.exeC:\Users\admin\AppData\Roaming\Notepad++K\WUDFHost.exeexecutable
MD5:D60A28CAA7D2B4DD0DAB3EBD4625D919
SHA256:BF4D51A627E70C8ACB1A7CD85A1E007DFA3CE10B18433B8E043A213E3DA915C8
3240vbc.exeC:\Users\admin\AppData\Roaming\kzlglt3e\oibqfe2v.embsqlite
MD5:60B51BA20224AC3783E213EA9F55F125
SHA256:0E305BA02985F26B29B234CD79D2C2AF0A51085DA2DB2BED98D20F8C61B76254
2260powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OP3RMAUJ0OHJI7ICHQ8E.temp
MD5:
SHA256:
3340XEN Crypter.exeC:\Users\admin\AppData\Local\Temp\XEN.exeexecutable
MD5:73FD3D30A2C82CADA11FE6D881BD989F
SHA256:B8C013B55A360359554CF2B85F4BED7630B2C2E29C138FB79212615B7EAEC113
3240vbc.exeC:\Users\admin\AppData\Roaming\kzlglt3e\wkp04hnm.nxqsqlite
MD5:7C426E0FC19063A433349CE713DA84A0
SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C
3240vbc.exeC:\Users\admin\AppData\Roaming\kzlglt3e\knkkynjc.ll4sqlite
MD5:EEFF6A10360F51143449247286180D9B
SHA256:6FE703DE675D6AEFC85BCD464049F820A571B56D05667AB329A6D333765CE8D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3240
vbc.exe
GET
200
5.79.66.145:80
http://mytestftpforme.kl.com.ua/HzwbM.png
NL
binary
370 Kb
malicious
2316
XEN.exe
GET
200
5.79.66.145:80
http://mytestftpforme.kl.com.ua/cat.png
NL
binary
356 Kb
malicious
3240
vbc.exe
GET
200
54.225.66.103:80
http://api.ipify.org/
US
text
13 b
shared
3240
vbc.exe
POST
200
5.79.66.145:80
http://mytestftpforme.kl.com.ua/cart.php
NL
html
2.07 Kb
malicious
2316
XEN.exe
GET
200
5.79.66.145:80
http://mytestftpforme.kl.com.ua/kek.png
NL
binary
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4036
svhost3.exe
141.255.153.253:6666
hackerguru.duckdns.org
Lost Oasis SARL
NL
malicious
3240
vbc.exe
5.79.66.145:80
mytestftpforme.kl.com.ua
LeaseWeb Netherlands B.V.
NL
malicious
2316
XEN.exe
5.79.66.145:80
mytestftpforme.kl.com.ua
LeaseWeb Netherlands B.V.
NL
malicious
3240
vbc.exe
54.225.66.103:80
api.ipify.org
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
mytestftpforme.kl.com.ua
  • 5.79.66.145
malicious
api.ipify.org
  • 54.225.66.103
  • 23.21.59.179
  • 54.221.234.156
  • 54.225.178.192
  • 54.243.162.249
  • 54.225.191.113
  • 50.19.115.217
  • 54.225.182.172
shared
anonymousbaba460.ddns.net
  • 0.0.0.0
malicious
hackerguru.duckdns.org
  • 141.255.153.253
malicious
hackerguru.ddns.net
  • 0.0.0.0
malicious

Threats

PID
Process
Class
Message
3240
vbc.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
XEN 1.0.4 [ FUD Crypter ].rar