File name:

25a9a70e860bdd43873f8423b2573785.exe

Full analysis: https://app.any.run/tasks/854db95f-ea0e-49f7-b094-e691a0371e3d
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: November 24, 2024, 14:14:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
njrat
bladabindi
remote
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

25A9A70E860BDD43873F8423B2573785

SHA1:

0EEA71569C308368F8F424EF48B67DA8A352A7BA

SHA256:

A3C7EABD9CFB545ADB2731670D97FE9EC7D8AFE29DB7F7A31827BDC13E0E4A85

SSDEEP:

1536:mD9Rb2Us4aigzKU0MxViwvyg1KtFxP7vq:094UIx0Mbpag1K5P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • msgedge.exe (PID: 3540)

    • Connects to the CnC server

      • msgedge.exe (PID: 3540)

    • NJRAT has been detected (SURICATA)

      • msgedge.exe (PID: 3540)

    • NJRAT has been detected (YARA)

      • msgedge.exe (PID: 3540)

    • Changes the autorun value in the registry

      • msgedge.exe (PID: 3540)

    • NjRAT is detected

      • msgedge.exe (PID: 3540)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)

    • Executable content was dropped or overwritten

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)
      • msgedge.exe (PID: 3540)

    • Starts itself from another location

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • msgedge.exe (PID: 3540)

    • Contacting a server suspected of hosting an CnC

      • msgedge.exe (PID: 3540)

    • Connects to unusual port

      • msgedge.exe (PID: 3540)

  • INFO

    • Create files in a temporary directory

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)

    • Reads the computer name

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)
      • msgedge.exe (PID: 3540)

    • Checks supported languages

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)
      • msgedge.exe (PID: 3540)

    • The process uses the downloaded file

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)

    • Process checks computer location settings

      • 25a9a70e860bdd43873f8423b2573785.exe (PID: 4840)

    • Creates files or folders in the user directory

      • msgedge.exe (PID: 3540)

    • Reads the machine GUID from the registry

      • msgedge.exe (PID: 3540)

    • Confuser has been detected (YARA)

      • msgedge.exe (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:22 03:45:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 40960
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xbefe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 25a9a70e860bdd43873f8423b2573785.exe #NJRAT msgedge.exe netsh.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3540"C:\Users\admin\AppData\Local\Temp\msgedge.exe" C:\Users\admin\AppData\Local\Temp\msgedge.exe
25a9a70e860bdd43873f8423b2573785.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\msgedge.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4840"C:\Users\admin\Desktop\25a9a70e860bdd43873f8423b2573785.exe" C:\Users\admin\Desktop\25a9a70e860bdd43873f8423b2573785.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\25a9a70e860bdd43873f8423b2573785.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5588\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5920netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\msgedge.exe" "msgedge.exe" ENABLEC:\Windows\SysWOW64\netsh.exemsgedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 546
Read events
1 401
Write events
145
Delete events
0

Modification events

(PID) Process:(3540) msgedge.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(3540) msgedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:5068c4162623ac26e655305f35864a96
Value:
"C:\Users\admin\AppData\Local\Temp\msgedge.exe" ..
(PID) Process:(3540) msgedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\5068c4162623ac26e655305f35864a96
Operation:writeName:[kl]
Value:
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3540msgedge.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5068c4162623ac26e655305f35864a96.exeexecutable
MD5:25A9A70E860BDD43873F8423B2573785
SHA256:A3C7EABD9CFB545ADB2731670D97FE9EC7D8AFE29DB7F7A31827BDC13E0E4A85
484025a9a70e860bdd43873f8423b2573785.exeC:\Users\admin\AppData\Local\Temp\msgedge.exeexecutable
MD5:25A9A70E860BDD43873F8423B2573785
SHA256:A3C7EABD9CFB545ADB2731670D97FE9EC7D8AFE29DB7F7A31827BDC13E0E4A85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
712
svchost.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
712
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
712
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.140:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
712
svchost.exe
2.16.164.112:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.112:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
712
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.177
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.182
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.164.112
  • 2.16.164.113
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.42.73.24
whitelisted

Threats

PID
Process
Class
Message
3540
msgedge.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
25a9a70e860bdd43873f8423b2573785.exe