File name:

8c414dd1ea5ae9692ba7253d8f1cc74a.exe

Full analysis: https://app.any.run/tasks/c359e28f-792f-4ddc-a87d-8943f58c38a6
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: December 05, 2022, 17:43:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

575AFD89B3AC91FDE31C5F2A9F583563

SHA1:

C0493D05003A2CCA4B185AA13FF1B5BF1E91A6C9

SHA256:

D1CB077F3919F2936C187F20A3F9E9D57A37686DEF487DAEFDCECECA5CFF01EF

SSDEEP:

3072:h1OLrUdykR12aamZEBQB60/Q8KglEG/hg1Rc:HOUskLVZhm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to the Start menu file

      • 8c414dd1ea5ae9692ba7253d8f1cc74a.exe (PID: 1580)
    • NjRAT is detected

      • 8c414dd1ea5ae9692ba7253d8f1cc74a.exe (PID: 1580)
    • Changes the autorun value in the registry

      • 8c414dd1ea5ae9692ba7253d8f1cc74a.exe (PID: 1580)
  • SUSPICIOUS

    • Connects to unusual port

      • 8c414dd1ea5ae9692ba7253d8f1cc74a.exe (PID: 1580)
  • INFO

    • Reads the computer name

      • 8c414dd1ea5ae9692ba7253d8f1cc74a.exe (PID: 1580)
    • Checks supported languages

      • 8c414dd1ea5ae9692ba7253d8f1cc74a.exe (PID: 1580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (62)
.exe | Win64 Executable (generic) (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2021-Aug-13 12:17:47
Debug artifacts:
  • c:\users\cem hamdi2\documents\visual studio 2012\Projects\PDF02\PDF02\obj\Debug\PDF02.pdb
FileDescription: PDF02
FileVersion: 1.0.0.0
InternalName: PDF02.exe
LegalCopyright: Copyright © 2021
OriginalFilename: PDF02.exe
ProductName: PDF02
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 4
TimeDateStamp: 2021-Aug-13 12:17:47
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
174580
174592
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.13371
.sdata
188416
312
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.05881
.rsrc
196608
11824
12288
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.28675
.reloc
212992
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.27627
656
UNKNOWN
UNKNOWN
RT_VERSION
2
2.0843
296
UNKNOWN
UNKNOWN
RT_ICON
3
1.04772
1384
UNKNOWN
UNKNOWN
RT_ICON
4
2.76148
1128
UNKNOWN
UNKNOWN
RT_ICON
5
1.71396
744
UNKNOWN
UNKNOWN
RT_ICON
6
1.72071
2216
UNKNOWN
UNKNOWN
RT_ICON
7
2.72257
4264
UNKNOWN
UNKNOWN
RT_ICON
32512
2.71964
90
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT 8c414dd1ea5ae9692ba7253d8f1cc74a.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\8c414dd1ea5ae9692ba7253d8f1cc74a.exe" C:\Users\admin\AppData\Local\Temp\8c414dd1ea5ae9692ba7253d8f1cc74a.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
PDF02
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\8c414dd1ea5ae9692ba7253d8f1cc74a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2972netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\8c414dd1ea5ae9692ba7253d8f1cc74a.exe" "8c414dd1ea5ae9692ba7253d8f1cc74a.exe" ENABLEC:\Windows\system32\netsh.exe8c414dd1ea5ae9692ba7253d8f1cc74a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\gdi32.dll
Total events
940
Read events
819
Write events
121
Delete events
0

Modification events

(PID) Process:(1580) 8c414dd1ea5ae9692ba7253d8f1cc74a.exeKey:HKEY_CURRENT_USER
Operation:writeName:di
Value:
!
(PID) Process:(1580) 8c414dd1ea5ae9692ba7253d8f1cc74a.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-100
Value:
DHCP Quarantine Enforcement Client
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-101
Value:
Provides DHCP based enforcement for NAP
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-103
Value:
1.0
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-102
Value:
Microsoft Corporation
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-1
Value:
IPsec Relying Party
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-2
Value:
Provides IPsec based enforcement for Network Access Protection
(PID) Process:(2972) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-4
Value:
1.0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
15808c414dd1ea5ae9692ba7253d8f1cc74a.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c414dd1ea5ae9692ba7253d8f1cc74a.exeexecutable
MD5:575AFD89B3AC91FDE31C5F2A9F583563
SHA256:D1CB077F3919F2936C187F20A3F9E9D57A37686DEF487DAEFDCECECA5CFF01EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1580
8c414dd1ea5ae9692ba7253d8f1cc74a.exe
197.205.250.224:5552
toumisalem.ddns.net
Telecom Algeria
DZ
unknown

DNS requests

Domain
IP
Reputation
toumisalem.ddns.net
  • 197.205.250.224
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info