File name: | XEN 1.0.4 [ FUD Crypter ].rar |
Full analysis: | https://app.any.run/tasks/d8afadbe-ff6e-4929-b3b6-9128a66d4a54 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | May 29, 2020, 22:17:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 1E8123D9329FB2ED123CED86C5E95DCB |
SHA1: | DF7B6D460F19015140AC9ECD38B245D260AA9F07 |
SHA256: | 7A3DAE1FADAD89A3EACC2E79DA5C7D844C083DD272CB13562AD7A3467C1BCED9 |
SSDEEP: | 12288:tQSss2oytmEG2ypoLtfehF4ufg7IBTvp4+4G+iyfReYNT:WSss2oyY72QQtRufg7IBT2+yY2T |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2796 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XEN 1.0.4 [ FUD Crypter ].rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3456 | "C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe" | C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3948 | "C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe" | C:\Users\admin\Desktop\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3340 | "C:\Users\admin\AppData\Local\Temp\XEN Crypter.exe" | C:\Users\admin\AppData\Local\Temp\XEN Crypter.exe | XEN Crypter.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3424 | "C:\Users\admin\AppData\Local\Temp\simple server.exe" | C:\Users\admin\AppData\Local\Temp\simple server.exe | XEN Crypter.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3644 | "C:\Users\admin\AppData\Local\Temp\windows firewall.exe" | C:\Users\admin\AppData\Local\Temp\windows firewall.exe | — | XEN Crypter.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4048 | "C:\Users\admin\AppData\Local\Temp\FUD Server.exe" | C:\Users\admin\AppData\Local\Temp\FUD Server.exe | XEN Crypter.exe | |
User: admin Company: DB Browser for SQLite Team Integrity Level: HIGH Description: DB Browser for SQLite Exit code: 0 Version: 3.11.2.20190403 | ||||
2088 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\script.vbs" | C:\Windows\System32\WScript.exe | — | simple server.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2316 | "C:\Users\admin\AppData\Local\Temp\XEN.exe" | C:\Users\admin\AppData\Local\Temp\XEN.exe | XEN Crypter.exe | |
User: admin Integrity Level: HIGH Description: XEN Version: 1.0.0.0 | ||||
2376 | "C:\Users\admin\AppData\Local\Temp\Server3.exe" | C:\Users\admin\AppData\Local\Temp\Server3.exe | simple server.exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2796 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2796.48415\XEN 1.0.4 [ FUD Crypter ]\stub.exe | — | |
MD5:— | SHA256:— | |||
2796 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2796.48415\XEN 1.0.4 [ FUD Crypter ]\XEN Crypter.exe | — | |
MD5:— | SHA256:— | |||
3340 | XEN Crypter.exe | C:\Users\admin\AppData\Local\Temp\FUD Server.exe | executable | |
MD5:30D3350C9DFAD8434E56BCB554732633 | SHA256:01E349A35DF90BF54FB43F03ACE7D5C28EB1AC8B71DF3CA28B626CE5D8DD89B5 | |||
3948 | XEN Crypter.exe | C:\Users\admin\AppData\Local\Temp\XEN Crypter.exe | executable | |
MD5:5D9CAAAE99A55961AB0CAD0D2F0FE59E | SHA256:5EB7CCBA0DE54645A7D865218AE37EDE6BE05DE22E989062F008392410AD75D0 | |||
2316 | XEN.exe | C:\Users\admin\AppData\Roaming\Notepad++K\WUDFHost.exe | executable | |
MD5:D60A28CAA7D2B4DD0DAB3EBD4625D919 | SHA256:BF4D51A627E70C8ACB1A7CD85A1E007DFA3CE10B18433B8E043A213E3DA915C8 | |||
3240 | vbc.exe | C:\Users\admin\AppData\Roaming\kzlglt3e\oibqfe2v.emb | sqlite | |
MD5:60B51BA20224AC3783E213EA9F55F125 | SHA256:0E305BA02985F26B29B234CD79D2C2AF0A51085DA2DB2BED98D20F8C61B76254 | |||
2260 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OP3RMAUJ0OHJI7ICHQ8E.temp | — | |
MD5:— | SHA256:— | |||
3340 | XEN Crypter.exe | C:\Users\admin\AppData\Local\Temp\XEN.exe | executable | |
MD5:73FD3D30A2C82CADA11FE6D881BD989F | SHA256:B8C013B55A360359554CF2B85F4BED7630B2C2E29C138FB79212615B7EAEC113 | |||
3240 | vbc.exe | C:\Users\admin\AppData\Roaming\kzlglt3e\wkp04hnm.nxq | sqlite | |
MD5:7C426E0FC19063A433349CE713DA84A0 | SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C | |||
3240 | vbc.exe | C:\Users\admin\AppData\Roaming\kzlglt3e\knkkynjc.ll4 | sqlite | |
MD5:EEFF6A10360F51143449247286180D9B | SHA256:6FE703DE675D6AEFC85BCD464049F820A571B56D05667AB329A6D333765CE8D5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3240 | vbc.exe | GET | 200 | 5.79.66.145:80 | http://mytestftpforme.kl.com.ua/HzwbM.png | NL | binary | 370 Kb | malicious |
2316 | XEN.exe | GET | 200 | 5.79.66.145:80 | http://mytestftpforme.kl.com.ua/cat.png | NL | binary | 356 Kb | malicious |
3240 | vbc.exe | GET | 200 | 54.225.66.103:80 | http://api.ipify.org/ | US | text | 13 b | shared |
3240 | vbc.exe | POST | 200 | 5.79.66.145:80 | http://mytestftpforme.kl.com.ua/cart.php | NL | html | 2.07 Kb | malicious |
2316 | XEN.exe | GET | 200 | 5.79.66.145:80 | http://mytestftpforme.kl.com.ua/kek.png | NL | binary | 1.02 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4036 | svhost3.exe | 141.255.153.253:6666 | hackerguru.duckdns.org | Lost Oasis SARL | NL | malicious |
3240 | vbc.exe | 5.79.66.145:80 | mytestftpforme.kl.com.ua | LeaseWeb Netherlands B.V. | NL | malicious |
2316 | XEN.exe | 5.79.66.145:80 | mytestftpforme.kl.com.ua | LeaseWeb Netherlands B.V. | NL | malicious |
3240 | vbc.exe | 54.225.66.103:80 | api.ipify.org | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
mytestftpforme.kl.com.ua |
| malicious |
api.ipify.org |
| shared |
anonymousbaba460.ddns.net |
| malicious |
hackerguru.duckdns.org |
| malicious |
hackerguru.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3240 | vbc.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |