File name:

1Server.exe

Full analysis: https://app.any.run/tasks/94991b02-6778-4621-969a-c86196f8f367
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 26, 2025, 13:10:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
njrat
bladabindi
remote
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

2109FF7DE6EF440B7EF349D348479FE4

SHA1:

D446EB956C90061BE8F907CF119AAB12B973BB72

SHA256:

8AB81BEE4D20423339EA669FA942088F91C5DBEB742EFE901BCEBFF0D437B272

SSDEEP:

768:ssPnv1cDtpOGpVtgO+6iUWRxDyWEoSreASaCpdn7RIiajVQNPl1Rz4Rk3ZsOdMTC:ZFgVt/4rZE5aaCpCuZl1dDtSTNP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NJRAT has been detected (YARA)

      • 1Server.exe (PID: 7388)

    • Connects to the CnC server

      • 1Server.exe (PID: 7388)

    • NJRAT has been detected (SURICATA)

      • 1Server.exe (PID: 7388)

  • SUSPICIOUS

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • 1Server.exe (PID: 7388)

    • Connects to unusual port

      • 1Server.exe (PID: 7388)

    • Contacting a server suspected of hosting an CnC

      • 1Server.exe (PID: 7388)

  • INFO

    • Create files in a temporary directory

      • 1Server.exe (PID: 7388)

    • Checks supported languages

      • 1Server.exe (PID: 7388)

    • Reads the machine GUID from the registry

      • 1Server.exe (PID: 7388)

    • Creates files or folders in the user directory

      • 1Server.exe (PID: 7388)

    • Reads the software policy settings

      • slui.exe (PID: 8000)

    • Reads the computer name

      • 1Server.exe (PID: 7388)

    • Checks proxy server information

      • slui.exe (PID: 8000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(7388) 1Server.exe
C246.250.74.88
Ports5353
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\d497c6f95fb989811e2fe13d6acb86f1
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:26 13:04:20+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 94208
InitializedDataSize: 512
UninitializedDataSize: -
EntryPoint: 0x18efe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT 1server.exe netsh.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7388"C:\Users\admin\Desktop\1Server.exe" C:\Users\admin\Desktop\1Server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\1server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(7388) 1Server.exe
C246.250.74.88
Ports5353
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\d497c6f95fb989811e2fe13d6acb86f1
Splitter|'|'|
Version0.7d
7504netsh firewall add allowedprogram "C:\Users\admin\Desktop\1Server.exe" "1Server.exe" ENABLEC:\Windows\SysWOW64\netsh.exe1Server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8000C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 105
Read events
4 104
Write events
1
Delete events
0

Modification events

(PID) Process:(7388) 1Server.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
73881Server.exeC:\Users\admin\AppData\Roaming\apptext
MD5:5014379CF5FA31DB8A73D68D6353A145
SHA256:538B830838CBF62E6CE267B48E2EB165030686E5B6317F0B1E9205A3E08C73B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
6
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4268
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4268
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4268
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7388
1Server.exe
46.250.74.88:5353
MTS PJSC
RU
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7388
1Server.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7388
1Server.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
7388
1Server.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
7388
1Server.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7388
1Server.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
7388
1Server.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1Server.exe