Malware analysis NjRat.0.7D.Golden.Edition.zip Malicious activity

Add for printing

File name:	NjRat.0.7D.Golden.Edition.zip
Full analysis:	https://app.any.run/tasks/e28ca3c6-9028-4a7a-ab67-cfe6be751759
Verdict:	Malicious activity
Threats:	njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	June 27, 2024, 10:48:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	securityxploded rat njrat bladabindi
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	DE0724E9B662C97A8131D593AE03E1E8
SHA1:	2367807D0405EF6D7CEF00F0B145C29823DD5128
SHA256:	AAC5B302910BE9B2C904F039129D3C42EB1E4B1539EF6DE621669793A95C7E69
SSDEEP:	49152:hoQ91Di9X+pMocKQtkWhCTNMH9xf1aawHlFhoTfNAghr5:h991DuOYKQyW4TGHeFhgNHhr5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- SecurityXploded is detected
  - WinRAR.exe (PID: 5640)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 5640)
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - mpress.exe (PID: 3156)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
- NjRAT is detected
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 2916)
  - Server.exe (PID: 4820)
  - Server.exe (PID: 6036)
- Create files in the Startup directory
  - Dllhost.exe (PID: 3888)
- Uses Task Scheduler to run other applications
  - Dllhost.exe (PID: 3888)
- NJRAT has been detected (YARA)
  - Dllhost.exe (PID: 3888)
- Changes the autorun value in the registry
  - Dllhost.exe (PID: 3888)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
- Executable content was dropped or overwritten
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - mpress.exe (PID: 3156)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
- Reads the date of Windows installation
  - Server.exe (PID: 1648)
- Starts itself from another location
  - Server.exe (PID: 1648)
- The process creates files with name similar to system file names
  - Server.exe (PID: 1648)
- The process executes via Task Scheduler
  - Server.exe (PID: 2916)
  - Server.exe (PID: 4820)
  - Server.exe (PID: 6036)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5640)
- Checks supported languages
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - TextInputHost.exe (PID: 5400)
  - mpress.exe (PID: 3156)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 2916)
  - Server.exe (PID: 4820)
  - identity_helper.exe (PID: 7036)
  - identity_helper.exe (PID: 5436)
  - Server.exe (PID: 6036)
- Reads the computer name
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - TextInputHost.exe (PID: 5400)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 2916)
  - Server.exe (PID: 4820)
  - identity_helper.exe (PID: 5436)
  - identity_helper.exe (PID: 7036)
  - Server.exe (PID: 6036)
- Reads the machine GUID from the registry
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - Dllhost.exe (PID: 3888)
- Manual execution by a user
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - Server.exe (PID: 1648)
  - msedge.exe (PID: 5652)
  - msedge.exe (PID: 5600)
- Reads Environment values
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
- Create files in a temporary directory
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - mpress.exe (PID: 3156)
  - Dllhost.exe (PID: 3888)
- Process checks computer location settings
  - Server.exe (PID: 1648)
- Creates files or folders in the user directory
  - Dllhost.exe (PID: 3888)
- Reads Microsoft Office registry keys
  - Dllhost.exe (PID: 3888)
  - msedge.exe (PID: 2068)
  - msedge.exe (PID: 5996)
  - msedge.exe (PID: 5600)
  - msedge.exe (PID: 6548)
- Application launched itself
  - msedge.exe (PID: 2068)
  - msedge.exe (PID: 5876)
  - msedge.exe (PID: 5996)
  - msedge.exe (PID: 5600)
  - msedge.exe (PID: 6548)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NjRat

(PID) Process(3888) Dllhost.exe

C2127.0.0.1

Ports5552

BotnetHacKed

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows Update

Splitter|Hassan|

VersionNjrat 0.7 Golden By Hassan Amiri

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2020:10:23 14:50:18
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Plugin/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

225

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5196 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1096

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6504 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1320

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5912 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1572

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6984 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1644

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4212 --field-trial-handle=2492,i,16557521118197409251,10270112548962277480,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1648

"C:\Users\admin\Desktop\Server.exe"

C:\Users\admin\Desktop\Server.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1724

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2736 --field-trial-handle=2492,i,16557521118197409251,10270112548962277480,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2068

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.upload.ee/image/2298158/koli.swf

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

Dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2408

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x308,0x30c,0x310,0x304,0x2e0,0x7ffd93765fd8,0x7ffd93765fe4,0x7ffd93765ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2916

"C:\Users\admin\AppData\Local\Temp/Server.exe"

C:\Users\admin\AppData\Local\Temp\Server.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

44 725

Read events

44 039

Write events

674

Delete events

Modification events


(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\NjRat.0.7D.Golden.Edition.zip
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\AppData\Local\Temp

Add for printing

Executable files

Suspicious files

142

Text files

136

Unknown types

Dropped files

PID	Process	Filename		Type
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\AntiProcess.dll		executable
		MD5:B21947A28760750689F46E071D575D07	SHA256:F643AB116E7BD8515032A502B8700AFB5BDBFC08FC1CAA08817B3061E98B763E
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\ch.dll		executable
		MD5:2490EDA5B4450138BA79F39FCC90048A	SHA256:3BC2898DA9CD9E202B7795B330FA3DAFF81A4B02AB4ECFE47FDD712C53252F12
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\plg.dll		executable
		MD5:04CB30A874EE349721B0398594DE65FE	SHA256:6F8770A35EC0845226A28DD57C8AE414DC8814A6871BD0BB818BB13CA3B82106
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\cam.dll		executable
		MD5:7EBA4D9562BF7FC14F2C1BB142A1AA6F	SHA256:5F00CDA5808E3FD126D452708308DDEE6556CB83ADACCD02EFE83654A40FC641
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\dlnormal.bin		executable
		MD5:2B53E572879A63AAA6AB032221A24D99	SHA256:0E36C6FBBC68953D2702C3D5F84EEB35912CE9A53AADF467F8DF60FAF51A7F5E
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\ReGKey.egg		text
		MD5:C7E93739B6DEC45A71CCE1DA31CCDCD8	SHA256:B8FA5AA5AF1C96F87C35E32117364155DFAB8F913FCD098B71F59888E0609154
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\dlentrypoint.bin		executable
		MD5:4A7B5A4DA67C17C762CB538E6FEC9ED1	SHA256:C8294263BB4E447F53EEB9E639DBA6EC24D735D80A7D05894E8B88BD115F2970
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\pw.dll		executable
		MD5:872401528FC94C90F3DE6658E776CC36	SHA256:3A1CC072EFFD8C38406A6FDDF4D8F49C5366BB0E32071311D90DB669940987CE
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\sc2.dll		executable
		MD5:9C8B5C9EC7D24EF02C7DF4E589DBA366	SHA256:F97AADB4D1C59F4B3155A9EC57F91A05700AED38B0090096F8F1E0E7975B6561
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\host.egg		text
		MD5:F528764D624DB129B32C21FBCA0CB8D6	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

114

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2408	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1719972415&P2=404&P3=2&P4=J97Vw5GTBQPhLwE3Vs2XDjPyGg7BUEYxQTLfG1BHNncPsqIP2Dm6wy6R6rqqRxIaFfSb75%2b4h0b652TbcIi68Q%3d%3d	unknown	—	—	unknown
5776	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1719972415&P2=404&P3=2&P4=J97Vw5GTBQPhLwE3Vs2XDjPyGg7BUEYxQTLfG1BHNncPsqIP2Dm6wy6R6rqqRxIaFfSb75%2b4h0b652TbcIi68Q%3d%3d	unknown	—	—	unknown
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1719972415&P2=404&P3=2&P4=J97Vw5GTBQPhLwE3Vs2XDjPyGg7BUEYxQTLfG1BHNncPsqIP2Dm6wy6R6rqqRxIaFfSb75%2b4h0b652TbcIi68Q%3d%3d	unknown	—	—	unknown
2408	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c5fb1d80-5f8a-47d7-8bf5-49cafe2277a3?P1=1719557960&P2=404&P3=2&P4=gJx%2fJ3XVXNd8YbOkVYyPzabd9YawWhga5GLy5ff3xOAbwmrvfr406ETHy%2fyU8sxK3qrgOgqZHp10xCgU6jhCcA%3d%3d	unknown	—	—	unknown
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1719972415&P2=404&P3=2&P4=J97Vw5GTBQPhLwE3Vs2XDjPyGg7BUEYxQTLfG1BHNncPsqIP2Dm6wy6R6rqqRxIaFfSb75%2b4h0b652TbcIi68Q%3d%3d	unknown	—	—	unknown
2408	svchost.exe	GET	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c5fb1d80-5f8a-47d7-8bf5-49cafe2277a3?P1=1719557960&P2=404&P3=2&P4=gJx%2fJ3XVXNd8YbOkVYyPzabd9YawWhga5GLy5ff3xOAbwmrvfr406ETHy%2fyU8sxK3qrgOgqZHp10xCgU6jhCcA%3d%3d	unknown	—	—	unknown
2408	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dfeb2940-49d3-4f29-8fd8-d984a787dc6e?P1=1719928452&P2=404&P3=2&P4=YwZ4DRsukmz0EaurNYusLN5BymzcGlyXNczfh1IBGpGnyERB9%2bQw054qpD8qzzkAjzRM2GVVEGXCiyT3cB1dXg%3d%3d	unknown	—	—	unknown
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dfeb2940-49d3-4f29-8fd8-d984a787dc6e?P1=1719928452&P2=404&P3=2&P4=YwZ4DRsukmz0EaurNYusLN5BymzcGlyXNczfh1IBGpGnyERB9%2bQw054qpD8qzzkAjzRM2GVVEGXCiyT3cB1dXg%3d%3d	unknown	—	—	unknown
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1719972415&P2=404&P3=2&P4=J97Vw5GTBQPhLwE3Vs2XDjPyGg7BUEYxQTLfG1BHNncPsqIP2Dm6wy6R6rqqRxIaFfSb75%2b4h0b652TbcIi68Q%3d%3d	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2456	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3672	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1784	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2456	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2456	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3040	OfficeClickToRun.exe	20.189.173.9:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3040	OfficeClickToRun.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
self.events.data.microsoft.com	20.189.173.9	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.bing.com	23.37.226.81 23.37.226.106 23.53.43.152 23.37.226.88 23.37.226.97 23.53.43.121 23.53.43.115 2.16.110.152 2.16.110.171 2.16.110.200 2.16.110.121 2.16.110.170 2.16.110.123 2.16.110.177 2.16.110.193 2.16.110.131	whitelisted
login.live.com	20.190.159.0 20.190.159.64 40.126.31.67 20.190.159.23 20.190.159.71 20.190.159.4 20.190.159.75 40.126.31.71	whitelisted
r.bing.com	23.37.226.106 23.37.226.97 23.53.43.152 23.53.43.115 23.53.43.121 23.37.226.88 23.37.226.81	whitelisted
go.microsoft.com	23.213.170.81 23.213.166.81	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

NjRat.0.7D.Golden.Edition.zip

DE0724E9B662C97A8131D593AE03E1E8

2367807D0405EF6D7CEF00F0B145C29823DD5128

AAC5B302910BE9B2C904F039129D3C42EB1E4B1539EF6DE621669793A95C7E69

49152:hoQ91Di9X+pMocKQtkWhCTNMH9xf1aawHlFhoTfNAghr5:h991DuOYKQyW4TGHeFhgNHhr5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SecurityXploded is detected

Drops the executable file immediately after the start

NjRAT is detected

Create files in the Startup directory

Uses Task Scheduler to run other applications

NJRAT has been detected (YARA)

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Starts itself from another location

The process creates files with name similar to system file names

The process executes via Task Scheduler

INFO

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Manual execution by a user

Reads Environment values

Create files in a temporary directory

Process checks computer location settings

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Application launched itself

Malware configuration

NjRat

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings