File name:

Payload.exe

Full analysis: https://app.any.run/tasks/dbb8dce2-3649-4b90-b790-c3ca2240f179
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: January 04, 2025, 14:59:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
njrat
bladabindi
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

B4C6A9D5B8E589C033A89C261A0FA179

SHA1:

A6962541A3F57293D6FF2FFD838435311F60601B

SHA256:

C412C85F5228F08F3BFAD3B906ED390D1B08569D239A4485F9AE395FBEECD236

SSDEEP:

768:m8djDRePdZVuDwUBNl1OT5qTadYsEShmPBc6DHPsTL7XJVxI3pm5:mavXNl1EGsBMBc6D+XjxI3pm5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • dllhost.exe (PID: 4548)

    • NJRAT has been detected (YARA)

      • dllhost.exe (PID: 4548)

    • NJRAT has been detected (SURICATA)

      • dllhost.exe (PID: 4548)

    • Connects to the CnC server

      • dllhost.exe (PID: 4548)

    • Changes the autorun value in the registry

      • dllhost.exe (PID: 4548)

    • NjRAT is detected

      • dllhost.exe (PID: 4548)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Payload.exe (PID: 3692)
      • dllhost.exe (PID: 4548)

    • Starts itself from another location

      • Payload.exe (PID: 3692)

    • The process creates files with name similar to system file names

      • Payload.exe (PID: 3692)

    • Reads security settings of Internet Explorer

      • Payload.exe (PID: 3692)

    • Connects to unusual port

      • dllhost.exe (PID: 4548)

    • Contacting a server suspected of hosting an CnC

      • dllhost.exe (PID: 4548)

  • INFO

    • Create files in a temporary directory

      • Payload.exe (PID: 3692)

    • The process uses the downloaded file

      • Payload.exe (PID: 3692)

    • Reads the computer name

      • Payload.exe (PID: 3692)
      • dllhost.exe (PID: 4548)

    • Checks supported languages

      • dllhost.exe (PID: 4548)
      • Payload.exe (PID: 3692)

    • Creates files or folders in the user directory

      • dllhost.exe (PID: 4548)

    • Process checks computer location settings

      • Payload.exe (PID: 3692)

    • Reads the machine GUID from the registry

      • dllhost.exe (PID: 4548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(4548) dllhost.exe
C2between-youth.gl.at.ply.gg
Ports58685
BotnetVictim
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\987fc78b62866a6f11ddadc3731e4664
SplitterY262SUCZ4UJJ
Version<- NjRAT 0.7d Horror Edition ->
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.7)
.exe | Win32 Executable MS Visual C++ (generic) (19.4)
.exe | Win64 Executable (generic) (17.2)
.scr | Windows screen saver (8.1)
.dll | Win32 Dynamic Link Library (generic) (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:04 14:55:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 54272
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xf21e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start payload.exe #NJRAT dllhost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3692"C:\Users\admin\Desktop\Payload.exe" C:\Users\admin\Desktop\Payload.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\payload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4548"C:\Users\admin\AppData\Local\Temp\dllhost.exe" C:\Users\admin\AppData\Local\Temp\dllhost.exe
Payload.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(4548) dllhost.exe
C2between-youth.gl.at.ply.gg
Ports58685
BotnetVictim
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\987fc78b62866a6f11ddadc3731e4664
SplitterY262SUCZ4UJJ
Version<- NjRAT 0.7d Horror Edition ->
Total events
1 458
Read events
1 312
Write events
146
Delete events
0

Modification events

(PID) Process:(4548) dllhost.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(4548) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:987fc78b62866a6f11ddadc3731e4664
Value:
"C:\Users\admin\AppData\Local\Temp\dllhost.exe" ..
(PID) Process:(4548) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\987fc78b62866a6f11ddadc3731e4664
Operation:writeName:[kl]
Value:
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4548dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\987fc78b62866a6f11ddadc3731e4664.exeexecutable
MD5:B4C6A9D5B8E589C033A89C261A0FA179
SHA256:C412C85F5228F08F3BFAD3B906ED390D1B08569D239A4485F9AE395FBEECD236
3692Payload.exeC:\Users\admin\AppData\Local\Temp\dllhost.exeexecutable
MD5:B4C6A9D5B8E589C033A89C261A0FA179
SHA256:C412C85F5228F08F3BFAD3B906ED390D1B08569D239A4485F9AE395FBEECD236
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
7
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4548
dllhost.exe
147.185.221.24:58685
between-youth.gl.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 2.16.164.114
  • 2.16.164.24
  • 2.16.164.9
  • 2.16.164.99
whitelisted
www.microsoft.com
  • 184.30.230.103
whitelisted
between-youth.gl.at.ply.gg
  • 147.185.221.24
unknown
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2192
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
4548
dllhost.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
4548
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Payload.exe