Malware analysis Malware.7z Malicious activity | ANY.RUN

Add for printing

File name:	Malware.7z
Full analysis:	https://app.any.run/tasks/0ac53bd2-5d20-4d19-a1cf-a38c174495b7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	January 12, 2025, 13:23:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec lua pastebin modiloader loader rat njrat bladabindi antivm upx
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	C73525D45B259E3BD508E0EAF464F533
SHA1:	30F07C93417192663EF8A305509A8316A5DE703C
SHA256:	A0F417D451039288CD8B3EA7D13DBAA0382DB7EC023EE779AA04532AF6C1CC6D
SSDEEP:	98304:FtnUY7CPcYkLttKS1qory6lCAkFftzYDcxYvjMiqoNt1xeEsd0sL0tbaqCCthuhd:NunIMEFsh0vHgkq8629+4FEir9Ly

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 828)
- Gets startup folder path (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Accesses environment variables (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Checks whether a specified folder exists (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Gets path to any of the special folders (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Reads the value of a key from the registry (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Gets TEMP folder path (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Modifies registry startup key (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Creates a new registry key or changes the value of an existing one (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Copies file to a new location (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Create files in the Startup directory
  - wscript.exe (PID: 6228)
  - JeuxNul.exe (PID: 6744)
  - ctfmon.exe (PID: 6956)
- Gets a file object corresponding to the file in a specified path (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Creates internet connection object (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Opens an HTTP connection (SCRIPT)
  - wscript.exe (PID: 6280)
- Opens a text file (SCRIPT)
  - wscript.exe (PID: 6280)
- Gets username (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses information about the status of the installed antivirus(Win32_AntivirusProduct) via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 6280)
- Sends HTTP request (SCRIPT)
  - wscript.exe (PID: 6280)
- Changes the autorun value in the registry
  - Email Hacker.exe (PID: 6732)
  - BLE.exe (PID: 7492)
  - loginServer.exe (PID: 7656)
  - ctfmon.exe (PID: 6956)
  - JeuxNul.exe (PID: 6744)
  - google.exe (PID: 3464)
  - mstwain32.exe (PID: 8108)
  - csrss.exe (PID: 5208)
- MODILOADER mutex has been found
  - Ibot.exe (PID: 8064)
  - mstwain32.exe (PID: 8108)
- NjRAT is detected
  - ctfmon.exe (PID: 6956)
  - JeuxNul.exe (PID: 6744)
  - csrss.exe (PID: 5208)
- NJRAT has been detected (YARA)
  - JeuxNul.exe (PID: 6744)
  - csrss.exe (PID: 5208)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Credit Card Checker 2014.exe (PID: 4504)
  - Email Hacker.exe (PID: 6500)
  - cmd.exe (PID: 6544)
  - Email Hacker.exe (PID: 6732)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - loginServer.exe (PID: 7656)
  - Ibot.exe (PID: 8064)
  - mstwain32.exe (PID: 8108)
  - njRAT Start.exe (PID: 8160)
  - JeuxNul.exe (PID: 6744)
  - stub.exe (PID: 6884)
  - ctfmon.exe (PID: 6956)
  - njrat 0.6.exe (PID: 7156)
  - CS GO Skin Generator.exe (PID: 7116)
- Reads security settings of Internet Explorer
  - autorun.exe (PID: 4076)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - Ibot.exe (PID: 8064)
  - njRAT Start.exe (PID: 8160)
  - BLE.exe (PID: 7492)
  - stub.exe (PID: 6884)
  - njrat 0.6.exe (PID: 7156)
  - CS GO Skin Generator.exe (PID: 7116)
- There is functionality for taking screenshot (YARA)
  - autorun.exe (PID: 4076)
- The process executes VB scripts
  - autorun.exe (PID: 4076)
  - wscript.exe (PID: 6228)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Gets full path of the running script (SCRIPT)
  - wscript.exe (PID: 6228)
  - wscript.exe (PID: 6280)
- Application launched itself
  - wscript.exe (PID: 6228)
  - Email Hacker.exe (PID: 6684)
- Gets a collection of all available drive names (SCRIPT)
  - wscript.exe (PID: 6280)
- Gets disk free space (SCRIPT)
  - wscript.exe (PID: 6280)
- Gets the drive type (SCRIPT)
  - wscript.exe (PID: 6280)
- Checks whether the drive is ready (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses local storage devices (Win32_LogicalDisk) via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 6228)
- Gets computer name (SCRIPT)
  - wscript.exe (PID: 6280)
- Executes WMI query (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses computer name via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses operating system name via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses WMI object caption (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses antivirus product name via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses WMI object display name (SCRIPT)
  - wscript.exe (PID: 6280)
- Adds, changes, or deletes HTTP request header (SCRIPT)
  - wscript.exe (PID: 6280)
- Accesses current user name via WMI (SCRIPT)
  - wscript.exe (PID: 6280)
- Searches for installed software
  - Email Hacker.exe (PID: 6500)
- Executing commands from a ".bat" file
  - Email Hacker.exe (PID: 6500)
- Starts CMD.EXE for commands execution
  - Email Hacker.exe (PID: 6500)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 6544)
- The executable file from the user directory is run by the CMD process
  - VaporLoader.exe (PID: 6644)
- Connects to SMTP port
  - Paypal-adder.exe (PID: 7736)
  - Paypal-adder.exe (PID: 7856)
- Starts itself from another location
  - Ibot.exe (PID: 8064)
  - njRAT Start.exe (PID: 8160)
  - stub.exe (PID: 6884)
  - njrat 0.6.exe (PID: 7156)
  - CS GO Skin Generator.exe (PID: 7116)
- Connects to FTP
  - BLE.exe (PID: 7492)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - JeuxNul.exe (PID: 6744)
  - ctfmon.exe (PID: 6956)
  - csrss.exe (PID: 5208)
- The process creates files with name similar to system file names
  - stub.exe (PID: 6884)
  - ctfmon.exe (PID: 6956)
  - CS GO Skin Generator.exe (PID: 7116)
- There is functionality for VM detection antiVM strings (YARA)
  - Email Hacker.exe (PID: 6732)
INFO
- Checks supported languages
  - Credit Card Checker 2014.exe (PID: 4504)
  - autorun.exe (PID: 4076)
  - VaporLoader.exe (PID: 6644)
  - Email Hacker.exe (PID: 6684)
  - Email Hacker.exe (PID: 6500)
  - Email Hacker.exe (PID: 6732)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - BLE.exe (PID: 7492)
  - PooHack (1).exe (PID: 7512)
  - loginServer.exe (PID: 7656)
  - LOGINS~1.EXE (PID: 7692)
  - Paypal-adder.exe (PID: 7736)
  - Paypal-adder.exe (PID: 7856)
  - Ibot.exe (PID: 8064)
  - mstwain32.exe (PID: 8108)
  - VAC³ Status Changer.exe (PID: 8004)
  - njRAT Start.exe (PID: 8160)
  - JeuxNul.exe (PID: 6744)
  - stub.exe (PID: 6884)
  - ctfmon.exe (PID: 6956)
  - njrat 0.6.exe (PID: 7156)
  - CS GO Skin Generator.exe (PID: 7116)
  - google.exe (PID: 3464)
  - PooHack (1).exe (PID: 3912)
  - Steam Vac Unbanner by Blodyclan96.exe (PID: 4876)
  - csrss.exe (PID: 5208)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 828)
- The process uses the downloaded file
  - WinRAR.exe (PID: 828)
  - autorun.exe (PID: 4076)
  - wscript.exe (PID: 6228)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - Ibot.exe (PID: 8064)
  - njRAT Start.exe (PID: 8160)
- Manual execution by a user
  - Credit Card Checker 2014.exe (PID: 4504)
  - Credit Card Checker 2014.exe (PID: 2088)
  - Email Hacker.exe (PID: 6500)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7404)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - loginServer.exe (PID: 7656)
  - Paypal-adder.exe (PID: 7736)
  - Paypal-adder.exe (PID: 7856)
  - Ibot.exe (PID: 8064)
  - VAC³ Status Changer.exe (PID: 8004)
  - njRAT Start.exe (PID: 8160)
  - stub.exe (PID: 6884)
  - CS GO Skin Generator.exe (PID: 7116)
  - njrat 0.6.exe (PID: 7156)
  - PooHack (1).exe (PID: 3912)
  - Steam Vac Unbanner by Blodyclan96.exe (PID: 4876)
- The sample compiled with french language support
  - WinRAR.exe (PID: 828)
- The sample compiled with english language support
  - WinRAR.exe (PID: 828)
  - Credit Card Checker 2014.exe (PID: 4504)
  - loginServer.exe (PID: 7656)
- Create files in a temporary directory
  - Credit Card Checker 2014.exe (PID: 4504)
  - autorun.exe (PID: 4076)
  - Email Hacker.exe (PID: 6500)
  - loginServer.exe (PID: 7656)
  - njRAT Start.exe (PID: 8160)
  - stub.exe (PID: 6884)
  - ctfmon.exe (PID: 6956)
  - JeuxNul.exe (PID: 6744)
- Reads the computer name
  - Credit Card Checker 2014.exe (PID: 4504)
  - autorun.exe (PID: 4076)
  - Email Hacker.exe (PID: 6684)
  - VaporLoader.exe (PID: 6644)
  - Email Hacker.exe (PID: 6500)
  - Email Hacker.exe (PID: 6732)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - BLE.exe (PID: 7492)
  - PooHack (1).exe (PID: 7512)
  - loginServer.exe (PID: 7656)
  - LOGINS~1.EXE (PID: 7692)
  - Paypal-adder.exe (PID: 7736)
  - Paypal-adder.exe (PID: 7856)
  - VAC³ Status Changer.exe (PID: 8004)
  - Ibot.exe (PID: 8064)
  - stub.exe (PID: 6884)
  - JeuxNul.exe (PID: 6744)
  - ctfmon.exe (PID: 6956)
  - PooHack (1).exe (PID: 3912)
  - njrat 0.6.exe (PID: 7156)
  - google.exe (PID: 3464)
  - Steam Vac Unbanner by Blodyclan96.exe (PID: 4876)
  - CS GO Skin Generator.exe (PID: 7116)
- The process uses Lua
  - autorun.exe (PID: 4076)
- Process checks computer location settings
  - autorun.exe (PID: 4076)
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - Ibot.exe (PID: 8064)
  - stub.exe (PID: 6884)
- Checks proxy server information
  - wscript.exe (PID: 6280)
  - VaporLoader.exe (PID: 6644)
  - BLE.exe (PID: 7492)
- Reads the machine GUID from the registry
  - Email Hacker.exe (PID: 6500)
  - VaporLoader.exe (PID: 6644)
  - Paypal-adder.exe (PID: 7736)
  - Paypal-adder.exe (PID: 7856)
  - VAC³ Status Changer.exe (PID: 8004)
  - njRAT Start.exe (PID: 8160)
  - JeuxNul.exe (PID: 6744)
  - ctfmon.exe (PID: 6956)
- Disables trace logs
  - VaporLoader.exe (PID: 6644)
- Failed to create an executable file in Windows directory
  - Email Hacker.exe (PID: 6732)
  - njrat 0.6.exe (PID: 7156)
  - google.exe (PID: 3464)
- Creates files or folders in the user directory
  - Email Hacker.exe (PID: 6732)
  - Ibot.exe (PID: 8064)
  - mstwain32.exe (PID: 8108)
  - JeuxNul.exe (PID: 6744)
  - ctfmon.exe (PID: 6956)
  - njrat 0.6.exe (PID: 7156)
  - CS GO Skin Generator.exe (PID: 7116)
- Reads the software policy settings
  - VaporLoader.exe (PID: 6644)
  - Paypal-adder.exe (PID: 7856)
  - Paypal-adder.exe (PID: 7736)
- Creates files in the program directory
  - CS GO hack aimbot +wallhack by -poolhax.exe (PID: 7452)
  - BLE.exe (PID: 7492)
- Reads mouse settings
  - LOGINS~1.EXE (PID: 7692)
- Process checks whether UAC notifications are on
  - Ibot.exe (PID: 8064)
- Sends debugging messages
  - google.exe (PID: 3464)
  - njrat 0.6.exe (PID: 7156)
- UPX packer has been detected
  - mstwain32.exe (PID: 8108)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NjRat

(PID) Process(6744) JeuxNul.exe

C2hacker45.ddns.net

Ports1604

BotnetHacKed

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\691e59f102743330f16e52374a9fedec

Splitter|'|'|

Version0.6.4

(PID) Process(5208) csrss.exe

C2keygen1gg.zapto.org

Ports1177

Botnethacked

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\9ebc89cb70ae8d1246bcd119aeec0d85

Splitter|'|'|

Version0.7d

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion:	7z v0.04
ModifyDate:	2025:01:12 13:22:58+00:00
ArchivedFileName:	Malware

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

167

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

828

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Malware.7z

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2088

"C:\Users\admin\Desktop\Malware\Credit Card Checker 2014.exe"

C:\Users\admin\Desktop\Malware\Credit Card Checker 2014.exe

—

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

http://creditcheck2014.blogspot.com/

Exit code:

3221226540

Version:

2.1.3.5

Modules

Images
c:\users\admin\desktop\malware\credit card checker 2014.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3464

"C:\Users\admin\appdata\local\google.exe"

C:\Users\admin\AppData\Local\google.exe

njrat 0.6.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\google.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3912

"C:\Users\admin\Desktop\Malware\PooHack (1).exe"

C:\Users\admin\Desktop\Malware\PooHack (1).exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

SimpleRadar

Exit code:

3221225786

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\malware\poohack (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4076

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

4076

"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\admin\Desktop\Malware\Credit Card Checker 2014.exe"

C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

—

Credit Card Checker 2014.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

http://creditcheck2014.blogspot.com/

Exit code:

Version:

2.1.3.5

Modules

Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4504

"C:\Users\admin\Desktop\Malware\Credit Card Checker 2014.exe"

C:\Users\admin\Desktop\Malware\Credit Card Checker 2014.exe

explorer.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

http://creditcheck2014.blogspot.com/

Exit code:

Version:

2.1.3.5

Modules

Images
c:\users\admin\desktop\malware\credit card checker 2014.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

4592

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

PooHack (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4876

"C:\Users\admin\Desktop\Malware\Steam Vac Unbanner by Blodyclan96.exe"

C:\Users\admin\Desktop\Malware\Steam Vac Unbanner by Blodyclan96.exe

—

explorer.exe

User:

admin

Company:

Blodyclan96

Integrity Level:

MEDIUM

Description:

Steam Vac Unbanner by Blodyclan96

Exit code:

Version:

1.00

Modules

Images
c:\users\admin\desktop\malware\steam vac unbanner by blodyclan96.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll

Add for printing

Total events

15 820

Read events

15 167

Write events

651

Delete events

Modification events


(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Malware.7z
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4076) autorun.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:	write	Name:	Speaker Configuration
Value: 4
(PID) Process:	(6228) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	msg
Value: wscript.exe //B "C:\Users\admin\AppData\Local\Temp\msg.vbs"

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\Credit Card Checker 2014.exe		compressed
		MD5:FF57E323C7BD542C75BA92EC3E0978F1	SHA256:F3E2512D41FF7851D24766A32BE7EFB9922C52816AA18AB42C3D9D3DD1F057D9
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\Steam Vac Unbanner by Blodyclan96.exe		executable
		MD5:99A7CDC0EEE3E0E50212634A4E9492E9	SHA256:93E4579EF503C5507F20319BCD354B1989675C1879A4A13DFF12B3DB7692A7E2
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\CS GO Skin Generator.exe		executable
		MD5:3CBEA1DB6AD1EB8DD80704F257ED554B	SHA256:7E29A1D73BD5E3FFCCCEA00C77E94CA5BCBB5F9869707F36A99BC396935FF8BB
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\njRAT Start.exe		executable
		MD5:044E8616529F895A4D964B9D14D29250	SHA256:BE24FD3D7BD11937F88E14CF7F396D9C04D8919B6E533CE2EFAD0CCDB3EB6714
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\Email Hacker.Cerberus		binary
		MD5:FCFCFAD8297BB35D8BF960E1DF48DAE5	SHA256:7DC7F658F32EA6217B65DC48E29BFEC38476485F86611D77F62EA99873EFC7A5
4504	Credit Card Checker 2014.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\0002-royale.btn		compressed
		MD5:0B933456BBFFD11B50F14F391A4B0695	SHA256:89786C6CC4CBF430C9AEE1F8131EFEFF8A4ADF6617535AADE525FA909441A38F
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\Email Hacker.exe		executable
		MD5:07A66A43588311B6045004B0759D47F2	SHA256:DBFB0C6855D91233890D8E47C8F9906D6EF73CD92E2CF109ADC669D9F4286A24
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\loginServer.exe		executable
		MD5:4E65CAB63599F2BBAAEE0C06BAD441AB	SHA256:6B1E8666CCCBDF703D7B2427A71B5E28C22967A3CDC053A87E998DE7D335A933
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\Paypal-adder.exe		executable
		MD5:E237A341D0201E7D69A2E4D58E4F990D	SHA256:28FF33F8A31454EA52BCC719882087DA985EFE9DF7EC2560D69943F8BACDAF7D
828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa828.3947\Malware\stub.exe		executable
		MD5:A35523B624C9E25669643A9D7C9999A1	SHA256:40823ED33D1A420BA675BCB6D880D951A89FB78E256A43DA1C32EFB6E8A81D16

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

181

Threats

160

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4264	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6424	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6424	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3568	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5064	SearchApp.exe	2.16.204.157:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	40.126.32.133:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
crl.microsoft.com	23.48.23.173 23.48.23.176 23.48.23.143 23.48.23.164 23.48.23.147 23.48.23.180	whitelisted
www.microsoft.com	23.37.237.227 95.101.149.131	whitelisted
google.com	172.217.16.142	whitelisted
www.bing.com	2.16.204.157 2.16.204.135 2.16.204.150 2.16.204.134	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.133 40.126.32.136 20.190.160.14 20.190.160.22 40.126.32.68 40.126.32.76 40.126.32.74 40.126.32.138	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
google-chrome.servehttp.com	—	unknown
slscr.update.microsoft.com	20.109.210.53	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.dyndns-ip .com Domain
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com

Add for printing

Process	Message
njrat 0.6.exe	BILGE:TONYUKUK:BEN:ÖZÜM:TABGAC:ILINGE:KILINDIM:TÜRK:BODUNU:TABGACKA:KÖRÜK:ERTI
google.exe	BILGE:TONYUKUK:BEN:ÖZÜM:TABGAC:ILINGE:KILINDIM:TÜRK:BODUNU:TABGACKA:KÖRÜK:ERTI

General Info

Malware.7z

C73525D45B259E3BD508E0EAF464F533

30F07C93417192663EF8A305509A8316A5DE703C

A0F417D451039288CD8B3EA7D13DBAA0382DB7EC023EE779AA04532AF6C1CC6D

98304:FtnUY7CPcYkLttKS1qory6lCAkFftzYDcxYvjMiqoNt1xeEsd0sL0tbaqCCthuhd:NunIMEFsh0vHgkq8629+4FEir9Ly

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Gets startup folder path (SCRIPT)

Accesses environment variables (SCRIPT)

Checks whether a specified folder exists (SCRIPT)

Gets path to any of the special folders (SCRIPT)

Reads the value of a key from the registry (SCRIPT)

Gets TEMP folder path (SCRIPT)

Modifies registry startup key (SCRIPT)

Creates a new registry key or changes the value of an existing one (SCRIPT)

Copies file to a new location (SCRIPT)

Create files in the Startup directory

Gets a file object corresponding to the file in a specified path (SCRIPT)

Creates internet connection object (SCRIPT)

Opens an HTTP connection (SCRIPT)

Opens a text file (SCRIPT)

Gets username (SCRIPT)

Accesses information about the status of the installed antivirus(Win32_AntivirusProduct) via WMI (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

Sends HTTP request (SCRIPT)

Changes the autorun value in the registry

MODILOADER mutex has been found

NjRAT is detected

NJRAT has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

The process executes VB scripts

Creates FileSystem object to access computer's file system (SCRIPT)

Gets full path of the running script (SCRIPT)

Application launched itself

Gets a collection of all available drive names (SCRIPT)

Gets disk free space (SCRIPT)

Gets the drive type (SCRIPT)

Checks whether the drive is ready (SCRIPT)

Accesses local storage devices (Win32_LogicalDisk) via WMI (SCRIPT)

Runs shell command (SCRIPT)

Gets computer name (SCRIPT)

Executes WMI query (SCRIPT)

Accesses computer name via WMI (SCRIPT)

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

Accesses operating system name via WMI (SCRIPT)

Accesses WMI object caption (SCRIPT)

Accesses antivirus product name via WMI (SCRIPT)

Accesses WMI object display name (SCRIPT)

Adds, changes, or deletes HTTP request header (SCRIPT)

Accesses current user name via WMI (SCRIPT)

Searches for installed software

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

The executable file from the user directory is run by the CMD process

Connects to SMTP port

Starts itself from another location

Connects to FTP

Uses NETSH.EXE to add a firewall rule or allowed programs

The process creates files with name similar to system file names

There is functionality for VM detection antiVM strings (YARA)

INFO

Checks supported languages

Executable content was dropped or overwritten

The process uses the downloaded file

Manual execution by a user

The sample compiled with french language support

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name