File name:

Dllhot.exe

Full analysis: https://app.any.run/tasks/6b81a3c6-a6e7-45f2-8b88-67e7da10dff5
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: November 24, 2024, 07:23:38
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
njrat
rat
bladabindi
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

4DFF5DF7E710AE25C9DEFEE573ED0FA3

SHA1:

B3F08B7A5A6B221282C6E43BED12FCEB15AAAC4E

SHA256:

A20F1315607EF8663239D4C9E07DBCD02E27E5710743BB0879C29AE12D198729

SSDEEP:

768:ABgU0rMibTEbjm7Gb5tjRitsLNdeH1cVtsnY8/oMbJ:ABMMibTEbjmSbnRiUU1OtsnY8QMb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NJRAT has been detected (YARA)

      • Dllhot.exe (PID: 3364)

    • NJRAT has been detected (SURICATA)

      • Dllhot.exe (PID: 3364)

    • Connects to the CnC server

      • Dllhot.exe (PID: 3364)

  • SUSPICIOUS

    • Connects to unusual port

      • Dllhot.exe (PID: 3364)

    • Contacting a server suspected of hosting an CnC

      • Dllhot.exe (PID: 3364)

  • INFO

    • Checks supported languages

      • Dllhot.exe (PID: 3364)

    • Reads the machine GUID from the registry

      • Dllhot.exe (PID: 3364)

    • Creates files or folders in the user directory

      • Dllhot.exe (PID: 3364)

    • Reads the computer name

      • Dllhot.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(3364) Dllhot.exe
C2saw-shirts.gl.at.ply.gg
Ports4164
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows Update
Splitter|Hassan|
VersionNjrat 0.7 Golden By Hassan Amiri
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:24 07:12:41+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 41984
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xc39e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT dllhot.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1656C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3364"C:\Users\admin\Desktop\Dllhot.exe" C:\Users\admin\Desktop\Dllhot.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\dllhot.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
NjRat
(PID) Process(3364) Dllhot.exe
C2saw-shirts.gl.at.ply.gg
Ports4164
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows Update
Splitter|Hassan|
VersionNjrat 0.7 Golden By Hassan Amiri
Total events
1 258
Read events
1 257
Write events
1
Delete events
0

Modification events

(PID) Process:(3364) Dllhot.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3364Dllhot.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dllhot.exe.logtext
MD5:0BB66922C928CEBA81AD8FEE50676EF6
SHA256:3E3BDFBAB9AA68011C7E5A60BE348DD8E094FD45622FC62475C1032038EC3F6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
41
DNS requests
34
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1296
svchost.exe
GET
200
88.221.110.147:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3352
MoUsoCoreWorker.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f7cd6a083561a16
unknown
whitelisted
5488
firefox.exe
POST
200
2.16.202.121:80
http://r10.o.lencr.org/
unknown
whitelisted
5028
rundll32.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4557b2a13a8b76e4
unknown
whitelisted
5488
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
5488
firefox.exe
POST
200
95.101.54.131:80
http://r10.o.lencr.org/
unknown
whitelisted
5488
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
HEAD
200
23.218.208.109:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?d427199d7579a766
unknown
whitelisted
2860
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e134dd2738d4661
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
3420
OfficeC2RClient.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
5488
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
5028
rundll32.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1296
svchost.exe
88.221.110.147:80
Akamai International B.V.
DE
unknown
5552
svchost.exe
239.255.255.250:1900
whitelisted
5488
firefox.exe
2.16.202.121:80
r10.o.lencr.org
Akamai International B.V.
NL
whitelisted
5028
rundll32.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
5488
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
google.com
  • 216.58.206.78
whitelisted
r10.o.lencr.org
  • 2.16.202.121
  • 95.101.54.131
whitelisted
a1887.dscq.akamai.net
  • 2.16.202.121
  • 95.101.54.131
  • 2a02:26f0:480:e::210:f10f
  • 2a02:26f0:480:e::210:f108
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
1656
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
1656
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3364
Dllhot.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
3364
Dllhot.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Dllhot.exe