analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Netflix Checker By FknDemon.rar

Full analysis: https://app.any.run/tasks/ae3cd859-f5b2-4d28-ac06-d817b8f6b9d9
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: December 06, 2018, 07:05:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BE1766726ABE21637B1B8AE1CAE13D12

SHA1:

3F09888F3EAB8EFD83022BD5B9638B43DF9CE6CE

SHA256:

CC921FA6A3C8ED928D0D495984FDE0EE1EF45FA5224C85462B5101C11382FD1F

SSDEEP:

196608:DY/HpwzQZlnlgScP+gpuo6jzUg1wleMgJhd7RWkxY89:DLQZlnlU7gwgLd1gq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 900)
    • Application was dropped or rewritten from another process

      • Netflix Checker.exe (PID: 3364)
      • n.exe (PID: 3756)
      • L.exe (PID: 3916)
      • bohemian.sfx.exe (PID: 2608)
      • netflix cracker coded by evg.exe (PID: 2920)
      • LL.exe (PID: 3244)
      • nj.exe (PID: 2252)
      • bohemian.exe (PID: 1916)
      • ILCADXLAX.exe (PID: 3076)
      • data.exe (PID: 2632)
      • SystemProcess.exe (PID: 3964)
      • service.exe (PID: 2972)
      • service.exe (PID: 2216)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2196)
      • schtasks.exe (PID: 2432)
      • schtasks.exe (PID: 3320)
      • schtasks.exe (PID: 3484)
    • Changes the autorun value in the registry

      • bohemian.exe (PID: 1916)
      • data.exe (PID: 2632)
    • Uses Task Scheduler to run other applications

      • bohemian.exe (PID: 1916)
      • LL.exe (PID: 3244)
      • L.exe (PID: 3916)
    • Connects to CnC server

      • ILCADXLAX.exe (PID: 3076)
    • MINER was detected

      • ILCADXLAX.exe (PID: 3076)
    • Writes to a start menu file

      • data.exe (PID: 2632)
    • NJRAT was detected

      • data.exe (PID: 2632)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3784)
      • bohemian.sfx.exe (PID: 2608)
      • Netflix Checker.exe (PID: 3364)
      • bohemian.exe (PID: 1916)
      • nj.exe (PID: 2252)
      • data.exe (PID: 2632)
      • LL.exe (PID: 3244)
    • Connects to unusual port

      • ILCADXLAX.exe (PID: 3076)
      • data.exe (PID: 2632)
    • Creates files in the user directory

      • data.exe (PID: 2632)
      • nj.exe (PID: 2252)
      • LL.exe (PID: 3244)
    • Starts itself from another location

      • nj.exe (PID: 2252)
      • LL.exe (PID: 3244)
    • Uses NETSH.EXE for network configuration

      • data.exe (PID: 2632)
  • INFO

    • Application was crashed

      • netflix cracker coded by evg.exe (PID: 2920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
20
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs netflix checker.exe bohemian.sfx.exe l.exe ll.exe n.exe no specs nj.exe netflix cracker coded by evg.exe bohemian.exe schtasks.exe no specs schtasks.exe no specs #MINER ilcadxlax.exe #NJRAT data.exe systemprocess.exe no specs netsh.exe no specs schtasks.exe no specs service.exe no specs schtasks.exe no specs service.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3784"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Netflix Checker By FknDemon.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
900"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3364"C:\Users\admin\Desktop\Netflix Checker By FknDemon\Netflix Checker.exe" C:\Users\admin\Desktop\Netflix Checker By FknDemon\Netflix Checker.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2608"C:\Users\admin\AppData\Local\Temp\bohemian.sfx.exe" C:\Users\admin\AppData\Local\Temp\bohemian.sfx.exe
Netflix Checker.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3916"C:\Users\admin\AppData\Local\Temp\L.exe" C:\Users\admin\AppData\Local\Temp\L.exe
Netflix Checker.exe
User:
admin
Integrity Level:
HIGH
Description:
Vis
Exit code:
0
Version:
1.0.0.0
3244"C:\Users\admin\AppData\Local\Temp\LL.exe" C:\Users\admin\AppData\Local\Temp\LL.exe
Netflix Checker.exe
User:
admin
Integrity Level:
HIGH
Description:
Winx
Exit code:
0
Version:
1.3.1.1
3756"C:\Users\admin\AppData\Local\Temp\n.exe" C:\Users\admin\AppData\Local\Temp\n.exeNetflix Checker.exe
User:
admin
Integrity Level:
HIGH
Description:
Vis
Exit code:
0
Version:
1.0.0.0
2252"C:\Users\admin\AppData\Local\Temp\nj.exe" C:\Users\admin\AppData\Local\Temp\nj.exe
Netflix Checker.exe
User:
admin
Integrity Level:
HIGH
Description:
Winx
Exit code:
0
Version:
1.3.1.1
2920"C:\Users\admin\AppData\Local\Temp\netflix cracker coded by evg.exe" C:\Users\admin\AppData\Local\Temp\netflix cracker coded by evg.exe
Netflix Checker.exe
User:
admin
Company:
www.crackingcenter.ir
Integrity Level:
HIGH
Description:
Netflix Cracker Coded By EVG
Version:
1.0.0.0
1916"C:\Users\admin\AppData\Local\Temp\bohemian.exe" C:\Users\admin\AppData\Local\Temp\bohemian.exe
bohemian.sfx.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
Total events
2 947
Read events
2 787
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3784.44558\Netflix Checker By FknDemon\Readme.txttext
MD5:2B34286BC8FF2EC9E52560EA069230A5
SHA256:49C7E7EAA831FDD32FB97B1FC2108BB2F2DF4F16C95F2EB86CD3123BFF4C17E4
1916bohemian.exeC:\Users\admin\AppData\Local\XGCQDOKWGZNZKZR\SystemProcess.exeexecutable
MD5:FC110DC6A58E9B34F067610CDF737646
SHA256:04D477992A608322150E4D32E57391CE18CB4502E5A306C83196C41618212357
2252nj.exeC:\Users\admin\AppData\Roaming\data.exeexecutable
MD5:4457F54753901525EFC37E6560FC27C7
SHA256:3952EDCD82C2D798563917BD1BB22BBF9AFAD9364AD73EF8D90EFFB9DB992D22
3364Netflix Checker.exeC:\Users\admin\AppData\Local\Temp\netflix cracker coded by evg.exeexecutable
MD5:61AA0E18B35FC1921AE263694D53112F
SHA256:ECFFDE1394EB9B8840980B14892C17D00F77DE230EA4E9D4E4D9FDEAE3273F22
3364Netflix Checker.exeC:\Users\admin\AppData\Local\Temp\n.exeexecutable
MD5:61622B92DB7DDD3170CF811873889E71
SHA256:196442CB740327526C6C345C4F42ABB6922313E5E1C794E22A5B27AF9C07C719
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3784.44558\Netflix Checker By FknDemon\DevComponents.DotNetBar2.dllexecutable
MD5:675BDEFC47A1E405DCF12304CFEE1E0D
SHA256:FF1C2D39A97F4F2C07063B933B7735D38BED77954B8D60DC285A029C797A6A54
3244LL.exeC:\Users\admin\AppData\Roaming\System32\service.exeexecutable
MD5:814F7F24DB56271222A87DB3CDB8501B
SHA256:B3C433EA15A5F94A0A71A4917C9A12E829FB3BA9834645B1443A2F5F41F98BB7
2608bohemian.sfx.exeC:\Users\admin\AppData\Local\Temp\bohemian.exeexecutable
MD5:FC110DC6A58E9B34F067610CDF737646
SHA256:04D477992A608322150E4D32E57391CE18CB4502E5A306C83196C41618212357
3364Netflix Checker.exeC:\Users\admin\AppData\Local\Temp\LL.exeexecutable
MD5:814F7F24DB56271222A87DB3CDB8501B
SHA256:B3C433EA15A5F94A0A71A4917C9A12E829FB3BA9834645B1443A2F5F41F98BB7
3364Netflix Checker.exeC:\Users\admin\AppData\Local\Temp\bohemian.sfx.exeexecutable
MD5:4A73122821CBB9FB48358BB95F36FF3B
SHA256:6709F853E0FA2DF9E5F765D04925D83425A5BF40FD5B7B71C1234DA0DF812848
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3076
ILCADXLAX.exe
80.188.53.27:5555
xmr.bohemianpool.com
O2 Czech Republic, a.s.
CZ
suspicious
2632
data.exe
79.159.172.236:5553
redlocal.hopto.org
Telefonica De Espana
ES
malicious

DNS requests

Domain
IP
Reputation
xmr.bohemianpool.com
  • 80.188.53.27
suspicious
redlocal.hopto.org
  • 79.159.172.236
malicious

Threats

PID
Process
Class
Message
3076
ILCADXLAX.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3076
ILCADXLAX.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
3076
ILCADXLAX.exe
Misc activity
MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
3076
ILCADXLAX.exe
Misc activity
MINER [PTsecurity] Risktool.W32.coinminer!c
3076
ILCADXLAX.exe
Misc activity
MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
3076
ILCADXLAX.exe
Misc activity
MINER [PTsecurity] Risktool.W32.coinminer!c
No debug info