analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

44.exe

Full analysis: https://app.any.run/tasks/53c0ab57-e1d7-4606-b6ee-2f6ac5adcc83
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 22:09:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
njrat
bladabindi
stealer
SecurityXploded
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

AB882A80736C7A7F8F70530E9EEB5CCF

SHA1:

A123B86E4B1D5DB92B3FA7DD74096C746D3F5238

SHA256:

AE9225C383CBDB69E7832115DFC7C235824C77B4F0A1BB7E5E51DC733AD47017

SSDEEP:

384:9Zyt4DQolYxOoyi0q1eU+UEJ8cFQPzgIij+ZsNO3PlpJKkkjh/TzF7pWnS/greTn:3IouIli0Uezl86wuXQ/oP/+L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • 44.exe (PID: 1012)

    • NJRAT was detected

      • 44.exe (PID: 1012)

    • Connects to CnC server

      • 44.exe (PID: 1012)

    • Changes the autorun value in the registry

      • 44.exe (PID: 1012)

    • Stealing of credential data

      • vbc.exe (PID: 3836)

    • Detected SecurityXploded stealer

      • vbc.exe (PID: 3836)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3836)
      • 44.exe (PID: 1012)

    • Steals credentials from Web Browsers

      • vbc.exe (PID: 3836)

  • SUSPICIOUS

    • Checks supported languages

      • 44.exe (PID: 1012)
      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2404)
      • vbc.exe (PID: 3836)
      • vlc.exe (PID: 3564)

    • Reads the computer name

      • 44.exe (PID: 1012)
      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2404)
      • vbc.exe (PID: 3836)
      • vlc.exe (PID: 3564)

    • Drops a file with a compile date too recent

      • 44.exe (PID: 1012)

    • Executable content was dropped or overwritten

      • 44.exe (PID: 1012)

    • Creates files in the user directory

      • 44.exe (PID: 1012)
      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2404)
      • vlc.exe (PID: 3564)

    • Starts Internet Explorer

      • 44.exe (PID: 1012)

    • Executed via COM

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2404)
      • DllHost.exe (PID: 3792)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2044)

    • Executes scripts

      • 44.exe (PID: 1012)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1960)
      • iexplore.exe (PID: 2044)
      • DllHost.exe (PID: 3792)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2044)
      • iexplore.exe (PID: 1960)

    • Changes internet zones settings

      • iexplore.exe (PID: 1960)

    • Reads the computer name

      • iexplore.exe (PID: 2044)
      • iexplore.exe (PID: 1960)
      • DllHost.exe (PID: 3792)

    • Application launched itself

      • iexplore.exe (PID: 1960)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2044)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2044)
      • iexplore.exe (PID: 1960)

    • Reads CPU info

      • iexplore.exe (PID: 2044)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 1960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:24 23:09:32+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 41984
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xc37e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jan-2022 22:09:32

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 24-Jan-2022 22:09:32
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0000A384
0x0000A400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.69817
.rsrc
0x0000E000
0x00000400
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.51607
.reloc
0x00010000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0815394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT 44.exe iexplore.exe iexplore.exe flashutil32_32_0_0_453_activex.exe no specs PhotoViewer.dll no specs #SECURITYXPLODED vbc.exe vlc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1012"C:\Users\admin\AppData\Local\Temp\44.exe" C:\Users\admin\AppData\Local\Temp\44.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
1960"C:\Program Files\Internet Explorer\iexplore.exe" http://www.upload.ee/image/2298158/koli.swfC:\Program Files\Internet Explorer\iexplore.exe
44.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2044"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1960 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2404C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe� Flash� Player Installer/Uninstaller 32.0 r0
Exit code:
0
Version:
32,0,0,453
3792C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\admin\AppData\Local\Temp\2848204"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
44.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
12.0.51209.34209
3564"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\.mp4"C:\Program Files\VideoLAN\VLC\vlc.exe
44.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
3221225547
Version:
3.0.11
Total events
19 879
Read events
19 484
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
9
Text files
25
Unknown types
22

Dropped files

PID
Process
Filename
Type
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4AE21726D5705A49ED8C8A2A8F5D7AAC
SHA256:8D5CDC9160FA7B0BC2DF36615121A9E82063072D715F4FD047FE67FF5C78A074
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BBbinary
MD5:C1D7DE53AF29C1C5F28326963166D913
SHA256:3E9C3AA76DCD1A0D6B76B88BFB95AF774613EEAFF2657AB1421E1CC4ABDC6090
101244.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exeexecutable
MD5:AB882A80736C7A7F8F70530E9EEB5CCF
SHA256:AE9225C383CBDB69E7832115DFC7C235824C77B4F0A1BB7E5E51DC733AD47017
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BBder
MD5:4F2B5DE2180B40973F56F83EF2E22A43
SHA256:0C6A8EBAABB179D340B8BF0DBD4F1305668A0C37AA293EFF42AFC6DF7F1F3389
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\709A8EC0F6D3194AD001E9041914421F_E172EF98249A059D307448253E7A9453binary
MD5:B71EEA3C1755AE3B853EC3126DE5B501
SHA256:3215936376D298D2051CE20F0196C473CD809C82197AF88B25F9ABB8BD6092F6
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\709A8EC0F6D3194AD001E9041914421F_E172EF98249A059D307448253E7A9453der
MD5:A261996A10492F366B68C3E1D3CF35F0
SHA256:4C0BE38B189F3D3CE1ABB902141363FADC571AC71B5BF4563E7B3C0E71863D0E
2404FlashUtil32_32_0_0_453_ActiveX.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.solsol
MD5:4E442C66F85325FE25C83EE8855432CA
SHA256:C1F7F9394B37899EC9EFE36DD2C26C80837F357D86F20F67DC13F6491F0CFEA9
2404FlashUtil32_32_0_0_453_ActiveX.exeC:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2404FlashUtil32_32_0_0_453_ActiveX.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2044
iexplore.exe
GET
302
51.91.30.159:80
http://www.upload.ee/image/2298158/koli.swf
GB
whitelisted
2044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0tOcjGcdlkhVARHvHzj6Qwhh26wQUpI3lvnx55HAjbS4pNK0jWNz1MX8CEAqDOmSasIXLXYQmEh4hS00%3D
US
der
471 b
whitelisted
1960
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2044
iexplore.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAeYNgOt45kIIZygDCe8imw%3D
US
der
471 b
whitelisted
2044
iexplore.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2044
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?999b7e6b8630fe11
unknown
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2044
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1960
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1012
44.exe
3.142.167.4:10529
8.tcp.ngrok.io
US
malicious
1960
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1012
44.exe
3.142.167.54:10529
8.tcp.ngrok.io
US
malicious
2044
iexplore.exe
51.91.30.159:443
www.upload.ee
GB
suspicious
2044
iexplore.exe
2.16.106.171:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2044
iexplore.exe
2.18.233.74:443
geo2.adobe.com
Akamai International B.V.
whitelisted
2044
iexplore.exe
51.91.30.159:80
www.upload.ee
GB
suspicious

DNS requests

Domain
IP
Reputation
8.tcp.ngrok.io
  • 3.142.167.54
  • 3.142.167.4
whitelisted
www.upload.ee
  • 51.91.30.159
whitelisted
ctldl.windowsupdate.com
  • 2.16.106.171
  • 2.16.106.233
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
geo2.adobe.com
  • 2.18.233.74
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
1012
44.exe
A Network Trojan was detected
ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)
Potential Corporate Privacy Violation
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
44 ETPRO signatures available at the full report
Process
Message
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: Copyright � 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
vlc.exe
main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
vlc.exe
main libvlc debug: plug-ins loaded: 494 modules
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
44.exe