File name: | C:\Users\admin\AppData\Local\Temp\Rar$EXa3116.24136\Facebook Hijacker.exe |
Full analysis: | https://app.any.run/tasks/cc16f7a1-ebfd-4eef-9a17-5f5fac183977 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | October 09, 2022, 18:22:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C2AFBB63C036423C1B8BD1FBAF071635 |
SHA1: | 37EC6DE5CA9C7527023ABB68E9E799E6D4EE72C2 |
SHA256: | 84C12628FE25B5F98CACFF169F031E005067BB9D71494D67715B54D815406CD8 |
SSDEEP: | 12288:LToPWBv/cpGrU3yBGkN1qHxQ/D0S/g0PbmlImGr59aAqgR:LTbBv5rUDpubRbmlImGrfAm |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Mar-03 13:15:57 |
Detected languages: |
|
Debug artifacts: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 272 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 6 |
TimeDateStamp: | 2022-Mar-03 13:15:57 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 203740 | 203776 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.71296 |
.rdata | 208896 | 44736 | 45056 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.26161 |
.data | 253952 | 149280 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.38746 |
.didat | 405504 | 400 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.33273 |
.rsrc | 409600 | 208696 | 208896 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.03444 |
.reloc | 618496 | 9020 | 9216 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.62301 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 7.95349 | 27684 | Latin 1 / Western European | Process Default Language | RT_ICON |
2 | 5.08556 | 67624 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 5.38878 | 38056 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 5.38429 | 21640 | Latin 1 / Western European | Process Default Language | RT_ICON |
5 | 5.24396 | 16936 | Latin 1 / Western European | Process Default Language | RT_ICON |
6 | 5.50856 | 9640 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 5.64845 | 4264 | Latin 1 / Western European | Process Default Language | RT_ICON |
8 | 5.83139 | 2440 | Latin 1 / Western European | Process Default Language | RT_ICON |
9 | 5.78486 | 1128 | Latin 1 / Western European | Process Default Language | RT_ICON |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
OLEAUT32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3028 | "C:\Users\admin\AppData\Local\Temp\Facebook Hijacker.exe" | C:\Users\admin\AppData\Local\Temp\Facebook Hijacker.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2104 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\Sys.cmd" " | C:\Windows\system32\cmd.exe | — | Facebook Hijacker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3560 | cmd /c start Facebok.exe | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3648 | Facebok.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Facebok.exe | — | cmd.exe | |||||||||||
User: admin Company: Madrid Integrity Level: MEDIUM Exit code: 4294967295 Version: 1.00 Modules
| |||||||||||||||
664 | cmd /c start Microsoft.exe | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1588 | Microsoft.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
924 | "C:\Users\admin\AppData\Local\Temp\tmp7722.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmp7722.tmp.exe | — | Microsoft.exe | |||||||||||
User: admin Company: BSG Integrity Level: MEDIUM Version: 1.00 Modules
| |||||||||||||||
2976 | "C:\Users\admin\AppData\Local\Temp\tmp84DF.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmp84DF.tmp.exe | — | Microsoft.exe | |||||||||||
User: admin Company: BSG Integrity Level: MEDIUM Version: 1.00 Modules
| |||||||||||||||
1580 | "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "C:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.exe" | C:\Windows\System32\netsh.exe | — | Microsoft.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2400 | "C:\Windows\System32\cmd.exe" /c ping 0 -n 2 & del "C:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.exe" | C:\Windows\System32\cmd.exe | — | Microsoft.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3028 | Facebook Hijacker.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Sys.cmd | text | |
MD5:B32E330D111894722C3A062454756A2D | SHA256:8A4480946FCCF48DF836B9C02B2A4122C7CC4C18F0AF6BCE643159784DE4AF6F | |||
3028 | Facebook Hijacker.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.exe | executable | |
MD5:EC66102014000040E566229D431AA206 | SHA256:B7C257AAC74C25F3FC568F579F64155D664F59A3743A5238DF279C35D6435380 | |||
3028 | Facebook Hijacker.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Facebok.exe | executable | |
MD5:B2B34266E3C38F89F70B4CAFA817334E | SHA256:2260A3643F899C70B7FB44E1FCFD101AC79EDCA33AA457B9D705A8E367C7825B | |||
3028 | Facebook Hijacker.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32fix.lnk | lnk | |
MD5:C68FAD3DABAD18FB28D752CCA284BDD9 | SHA256:0307C045DC12133131582A8B59626287834A4E425345C0D3629EA4BB8196D0B3 | |||
3648 | Facebok.exe | C:\Users\admin\AppData\Local\Temp\~DFBCAFE196DE0A3070.TMP | binary | |
MD5:F56BE3F0CD4824AB2ABB10AC3DAA623E | SHA256:960F07CE5BEFC91E17B2245F41D82DFA8E9178FE0C6B4D3F8CB57702C31FE2EF | |||
1588 | Microsoft.exe | C:\Users\admin\AppData\Local\Temp\tmp84DF.tmp.exe | executable | |
MD5:62CBB85434223022A0B0E369B227A3D9 | SHA256:EA3087204E3ED644308A0A96BBF319590A9B2701AC850BB63F2BA3DC4955F1FD | |||
1588 | Microsoft.exe | C:\Users\admin\AppData\Local\Temp\tmp7722.tmp.exe | executable | |
MD5:19796E0D82A76BE6DAFA5CB7B80E2506 | SHA256:65D4C633BF347ED4766DBB6E003776A017CCB632D73C6138C3E880A94C114C2D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1588 | Microsoft.exe | 3.126.224.214:14065 | 7.tcp.eu.ngrok.io | AMAZON-02 | DE | malicious |
1588 | Microsoft.exe | 172.67.34.170:443 | pastebin.com | CLOUDFLARENET | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
7.tcp.eu.ngrok.io |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
1588 | Microsoft.exe | A Network Trojan was detected | ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |