Malware analysis NjRat.0.7D.Golden.Edition.zip Malicious activity

Add for printing

File name:	NjRat.0.7D.Golden.Edition.zip
Full analysis:	https://app.any.run/tasks/e28ca3c6-9028-4a7a-ab67-cfe6be751759
Verdict:	Malicious activity
Threats:	njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	June 27, 2024, 10:48:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	securityxploded rat njrat bladabindi
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	DE0724E9B662C97A8131D593AE03E1E8
SHA1:	2367807D0405EF6D7CEF00F0B145C29823DD5128
SHA256:	AAC5B302910BE9B2C904F039129D3C42EB1E4B1539EF6DE621669793A95C7E69
SSDEEP:	49152:hoQ91Di9X+pMocKQtkWhCTNMH9xf1aawHlFhoTfNAghr5:h991DuOYKQyW4TGHeFhgNHhr5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 5640)
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - mpress.exe (PID: 3156)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 1648)
- SecurityXploded is detected
  - WinRAR.exe (PID: 5640)
- NjRAT is detected
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 2916)
  - Server.exe (PID: 4820)
  - Server.exe (PID: 6036)
- Create files in the Startup directory
  - Dllhost.exe (PID: 3888)
- Uses Task Scheduler to run other applications
  - Dllhost.exe (PID: 3888)
- NJRAT has been detected (YARA)
  - Dllhost.exe (PID: 3888)
- Changes the autorun value in the registry
  - Dllhost.exe (PID: 3888)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
- The process creates files with name similar to system file names
  - Server.exe (PID: 1648)
- Executable content was dropped or overwritten
  - Server.exe (PID: 1648)
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - mpress.exe (PID: 3156)
  - Dllhost.exe (PID: 3888)
- Reads the date of Windows installation
  - Server.exe (PID: 1648)
- Starts itself from another location
  - Server.exe (PID: 1648)
- The process executes via Task Scheduler
  - Server.exe (PID: 2916)
  - Server.exe (PID: 4820)
  - Server.exe (PID: 6036)
INFO
- Checks supported languages
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - TextInputHost.exe (PID: 5400)
  - mpress.exe (PID: 3156)
  - Server.exe (PID: 1648)
  - Server.exe (PID: 2916)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 4820)
  - identity_helper.exe (PID: 7036)
  - identity_helper.exe (PID: 5436)
  - Server.exe (PID: 6036)
- Reads the computer name
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - TextInputHost.exe (PID: 5400)
  - Server.exe (PID: 1648)
  - Dllhost.exe (PID: 3888)
  - Server.exe (PID: 2916)
  - identity_helper.exe (PID: 7036)
  - Server.exe (PID: 4820)
  - identity_helper.exe (PID: 5436)
  - Server.exe (PID: 6036)
- Reads the machine GUID from the registry
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - Dllhost.exe (PID: 3888)
- Manual execution by a user
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - Server.exe (PID: 1648)
  - msedge.exe (PID: 5652)
  - msedge.exe (PID: 5600)
- Reads Environment values
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5640)
- Create files in a temporary directory
  - NjRat 0.7D Golden Edition - Rus.exe (PID: 4264)
  - mpress.exe (PID: 3156)
  - Dllhost.exe (PID: 3888)
- Creates files or folders in the user directory
  - Dllhost.exe (PID: 3888)
- Process checks computer location settings
  - Server.exe (PID: 1648)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 2068)
  - msedge.exe (PID: 5600)
  - msedge.exe (PID: 5996)
  - Dllhost.exe (PID: 3888)
  - msedge.exe (PID: 6548)
- Application launched itself
  - msedge.exe (PID: 5876)
  - msedge.exe (PID: 5996)
  - msedge.exe (PID: 5600)
  - msedge.exe (PID: 2068)
  - msedge.exe (PID: 6548)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NjRat

(PID) Process(3888) Dllhost.exe

C2127.0.0.1

Ports5552

BotnetHacKed

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows Update

Splitter|Hassan|

VersionNjrat 0.7 Golden By Hassan Amiri

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2020:10:23 14:50:18
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Plugin/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

225

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5196 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1096

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6504 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1320

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5912 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1572

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6984 --field-trial-handle=2316,i,3758622286222894197,11517630718896410511,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1644

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4212 --field-trial-handle=2492,i,16557521118197409251,10270112548962277480,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1648

"C:\Users\admin\Desktop\Server.exe"

C:\Users\admin\Desktop\Server.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1724

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2736 --field-trial-handle=2492,i,16557521118197409251,10270112548962277480,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2068

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.upload.ee/image/2298158/koli.swf

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

Dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2408

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x308,0x30c,0x310,0x304,0x2e0,0x7ffd93765fd8,0x7ffd93765fe4,0x7ffd93765ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2916

"C:\Users\admin\AppData\Local\Temp/Server.exe"

C:\Users\admin\AppData\Local\Temp\Server.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

44 725

Read events

44 039

Write events

674

Delete events

Modification events


(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\NjRat.0.7D.Golden.Edition.zip
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5640) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\AppData\Local\Temp

Add for printing

Executable files

Suspicious files

142

Text files

136

Unknown types

Dropped files

PID	Process	Filename		Type
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\sc2.dll		executable
		MD5:9C8B5C9EC7D24EF02C7DF4E589DBA366	SHA256:F97AADB4D1C59F4B3155A9EC57F91A05700AED38B0090096F8F1E0E7975B6561
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\ch.dll		executable
		MD5:2490EDA5B4450138BA79F39FCC90048A	SHA256:3BC2898DA9CD9E202B7795B330FA3DAFF81A4B02AB4ECFE47FDD712C53252F12
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\AntiProcess.dll		executable
		MD5:B21947A28760750689F46E071D575D07	SHA256:F643AB116E7BD8515032A502B8700AFB5BDBFC08FC1CAA08817B3061E98B763E
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\plg.dll		executable
		MD5:04CB30A874EE349721B0398594DE65FE	SHA256:6F8770A35EC0845226A28DD57C8AE414DC8814A6871BD0BB818BB13CA3B82106
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\mic.dll		executable
		MD5:1607999C56366FC2096A27A8BD237B98	SHA256:7D327985D7E4F83ADFFBDF831C1E999C68CB90238790B63260AF19D24BFA66B8
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\mpress.exe		executable
		MD5:8B632BFC3FE653A510CBA277C2D699D1	SHA256:2852680C94A9D68CDAB285012D9328A1CECA290DB60C9E35155C2BB3E46A41B4
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\pw.dll		executable
		MD5:872401528FC94C90F3DE6658E776CC36	SHA256:3A1CC072EFFD8C38406A6FDDF4D8F49C5366BB0E32071311D90DB669940987CE
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\Anti.bin		executable
		MD5:2170473F4F2B81E9B909996B0F459D16	SHA256:01D0BEDCC943E13E341578423A2FC6848D9F63F1C5800B9A16BD64F65A1FCDDE
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\stubs\dlnormal.bin		executable
		MD5:2B53E572879A63AAA6AB032221A24D99	SHA256:0E36C6FBBC68953D2702C3D5F84EEB35912CE9A53AADF467F8DF60FAF51A7F5E
5640	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5640.17115\Plugin\cam.dll		executable
		MD5:7EBA4D9562BF7FC14F2C1BB142A1AA6F	SHA256:5F00CDA5808E3FD126D452708308DDEE6556CB83ADACCD02EFE83654A40FC641

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

114

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2456	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	—
2456	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
2408	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ebe63bca-6943-485a-b2da-eabbbd952f0e?P1=1720080854&P2=404&P3=2&P4=Rj04clnMmWGBicFIs75ATIZgs6ne0A0ACvPnQPMtDOdyVNr4TtA3MY5lWv%2fTdM3r%2fSTtdr2dWszoVEetJb4vmw%3d%3d	unknown	—	—	—
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dfeb2940-49d3-4f29-8fd8-d984a787dc6e?P1=1719928452&P2=404&P3=2&P4=YwZ4DRsukmz0EaurNYusLN5BymzcGlyXNczfh1IBGpGnyERB9%2bQw054qpD8qzzkAjzRM2GVVEGXCiyT3cB1dXg%3d%3d	unknown	—	—	—
2408	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dfeb2940-49d3-4f29-8fd8-d984a787dc6e?P1=1719928452&P2=404&P3=2&P4=YwZ4DRsukmz0EaurNYusLN5BymzcGlyXNczfh1IBGpGnyERB9%2bQw054qpD8qzzkAjzRM2GVVEGXCiyT3cB1dXg%3d%3d	unknown	—	—	—
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	—
1544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	—
3040	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	—
2968	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	—
2968	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2456	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:137	—	—	—	unknown
3672	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
1784	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
2456	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2456	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3040	OfficeClickToRun.exe	20.189.173.9:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3040	OfficeClickToRun.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	unknown
crl.microsoft.com	23.48.23.156 23.48.23.143	unknown
www.microsoft.com	23.52.120.96	unknown
self.events.data.microsoft.com	20.189.173.9	unknown
ocsp.digicert.com	192.229.221.95	unknown
www.bing.com	23.37.226.81 23.37.226.106 23.53.43.152 23.37.226.88 23.37.226.97 23.53.43.121 23.53.43.115 2.16.110.152 2.16.110.171 2.16.110.200 2.16.110.121 2.16.110.170 2.16.110.123 2.16.110.177 2.16.110.193 2.16.110.131	unknown
login.live.com	20.190.159.0 20.190.159.64 40.126.31.67 20.190.159.23 20.190.159.71 20.190.159.4 20.190.159.75 40.126.31.71	unknown
r.bing.com	23.37.226.106 23.37.226.97 23.53.43.152 23.53.43.115 23.53.43.121 23.37.226.88 23.37.226.81	unknown
go.microsoft.com	23.213.170.81 23.213.166.81	unknown
slscr.update.microsoft.com	40.68.123.157	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

NjRat.0.7D.Golden.Edition.zip

DE0724E9B662C97A8131D593AE03E1E8

2367807D0405EF6D7CEF00F0B145C29823DD5128

AAC5B302910BE9B2C904F039129D3C42EB1E4B1539EF6DE621669793A95C7E69

49152:hoQ91Di9X+pMocKQtkWhCTNMH9xf1aawHlFhoTfNAghr5:h991DuOYKQyW4TGHeFhgNHhr5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SecurityXploded is detected

NjRAT is detected

Create files in the Startup directory

Uses Task Scheduler to run other applications

NJRAT has been detected (YARA)

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads the date of Windows installation

Starts itself from another location

The process executes via Task Scheduler

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Manual execution by a user

Reads Environment values

Executable content was dropped or overwritten

Create files in a temporary directory

Creates files or folders in the user directory

Process checks computer location settings

Reads Microsoft Office registry keys

Application launched itself

Malware configuration

NjRat

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings