File name:

Server2.exe

Full analysis: https://app.any.run/tasks/769859c7-192c-450f-a5e7-f8ca56154737
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: February 17, 2025, 18:01:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
njrat
rat
bladabindi
remote
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

01DAE42641DF38987BD4A7FA3B309794

SHA1:

56679BFDA33C5F6CC0CD4F1A650DC3684D03FF20

SHA256:

976E5AAF5FEC5C774AE5C6156AAAD076B709ED7565E1DF19F71313FA7E574803

SSDEEP:

768:Bxyl8zs2c7lXXS1oJpwJqqiD8ZuSNujEXcI:BQlKs1Xaofw8E3NeE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NJRAT has been detected (YARA)

      • Server2.exe (PID: 6304)

    • NJRAT has been detected (SURICATA)

      • Server2.exe (PID: 6304)

    • Connects to the CnC server

      • Server2.exe (PID: 6304)

  • SUSPICIOUS

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Server2.exe (PID: 6304)

    • Contacting a server suspected of hosting an CnC

      • Server2.exe (PID: 6304)

  • INFO

    • Checks supported languages

      • Server2.exe (PID: 6304)

    • Reads the machine GUID from the registry

      • Server2.exe (PID: 6304)

    • Reads the computer name

      • Server2.exe (PID: 6304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(6304) Server2.exe
C2192.168.1.1
Ports8080
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\0558305d866f67d51401f01fe2158def
Splitter|'|'|
Versionim523
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:17 17:56:56+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 35840
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xabae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT server2.exe netsh.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6304"C:\Users\admin\Desktop\Server2.exe" C:\Users\admin\Desktop\Server2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\server2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(6304) Server2.exe
C2192.168.1.1
Ports8080
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\0558305d866f67d51401f01fe2158def
Splitter|'|'|
Versionim523
6672netsh firewall add allowedprogram "C:\Users\admin\Desktop\Server2.exe" "Server2.exe" ENABLEC:\Windows\SysWOW64\netsh.exeServer2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
845
Read events
845
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
5
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1016
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1016
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1016
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1016
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1016
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1016
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.177
  • 23.48.23.147
  • 23.48.23.167
  • 23.48.23.145
  • 23.48.23.176
  • 23.48.23.143
  • 23.48.23.173
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 20.42.65.91
whitelisted

Threats

PID
Process
Class
Message
6304
Server2.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
6304
Server2.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
6304
Server2.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
6304
Server2.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
6304
Server2.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
6304
Server2.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Server2.exe