File name:

online-fix.bat

Full analysis: https://app.any.run/tasks/a67af2b4-34ca-44cd-80c2-45f07f44a96b
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: March 25, 2024, 12:21:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
njrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

F7345F05BB8025D955DD0393DD0E30D6

SHA1:

82CF88D900FE122A1B4426F810C0F35387D5CB55

SHA256:

D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346

SSDEEP:

768:HsPs4/QWxR6S4t61KUubfyWgSXKgSVCV57dCiajVQNPl1Rz4Rk3CsOdMT1Bto:MvWt6Qz51eVCVQuZl1dDmST1P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • NJRAT has been detected (YARA)

      • server.exe (PID: 2856)

    • Create files in the Startup directory

      • server.exe (PID: 2856)

  • SUSPICIOUS

    • Reads the Internet Settings

      • online-fix.bat.exe (PID: 3500)

    • Executable content was dropped or overwritten

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • Starts itself from another location

      • online-fix.bat.exe (PID: 3500)

    • Reads security settings of Internet Explorer

      • online-fix.bat.exe (PID: 3500)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • server.exe (PID: 2856)

    • Probably fake Windows Update file has been dropped

      • server.exe (PID: 2856)

    • Creates file in the systems drive root

      • server.exe (PID: 2856)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • server.exe (PID: 2856)

  • INFO

    • Checks supported languages

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • Reads the machine GUID from the registry

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • Create files in a temporary directory

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • Reads the computer name

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • Creates files or folders in the user directory

      • online-fix.bat.exe (PID: 3500)
      • server.exe (PID: 2856)

    • Reads Environment values

      • server.exe (PID: 2856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(2856) server.exe
C2127.0.0.1
Ports7777
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a9a1fe7bc190c1bed7e77059f5826ea3
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:25 11:43:09+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 94208
InitializedDataSize: 512
UninitializedDataSize: -
EntryPoint: 0x18efe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start online-fix.bat.exe #NJRAT server.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1824netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLEC:\Windows\System32\netsh.exeserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2792netsh firewall delete allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe"C:\Windows\System32\netsh.exeserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2856"C:\Users\admin\AppData\Local\Temp\server.exe" C:\Users\admin\AppData\Local\Temp\server.exe
online-fix.bat.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
NjRat
(PID) Process(2856) server.exe
C2127.0.0.1
Ports7777
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a9a1fe7bc190c1bed7e77059f5826ea3
Splitter|'|'|
Version0.7d
3500"C:\Users\admin\AppData\Local\Temp\online-fix.bat.exe" C:\Users\admin\AppData\Local\Temp\online-fix.bat.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\online-fix.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3996netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLEC:\Windows\System32\netsh.exeserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
Total events
5 172
Read events
5 009
Write events
163
Delete events
0

Modification events

(PID) Process:(3500) online-fix.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3500) online-fix.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3500) online-fix.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3500) online-fix.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2856) server.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(3996) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3996) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-100
Value:
DHCP Quarantine Enforcement Client
(PID) Process:(3996) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-101
Value:
Provides DHCP based enforcement for NAP
(PID) Process:(3996) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-103
Value:
1.0
(PID) Process:(3996) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-102
Value:
Microsoft Corporation
Executable files
11
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2856server.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9a1fe7bc190c1bed7e77059f5826ea3Windows Update.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
2856server.exeC:\Users\admin\AppData\Local\Explower.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
3500online-fix.bat.exeC:\Users\admin\AppData\Roaming\apptext
MD5:CAC4598FDC0F92181616D12833EB6CA1
SHA256:275918973C23AD700F278C69CC03C9C82EC9F4D9ED0F53111AD22BEC197FF440
2856server.exeC:\Users\admin\Desktop\Explower.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
2856server.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
2856server.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
3500online-fix.bat.exeC:\Users\admin\AppData\Local\Temp\server.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
2856server.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Explower.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
2856server.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Explower.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
2856server.exeC:\Users\admin\Documents\Explower.exeexecutable
MD5:F7345F05BB8025D955DD0393DD0E30D6
SHA256:D1E398C6602AD307890E16A1AB6B979D7D28834072B22851B71CEE453B4C9346
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
online-fix.bat