analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002.UUE

Full analysis: https://app.any.run/tasks/81a284c6-4b29-4ce4-a96c-778322c2f1a8
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: October 09, 2019, 15:39:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

3BB43EFE680EFB8DFC9E1F077CDB1F66

SHA1:

8FEE916D6A4362EC4B5C8DDB4B3161368EB36924

SHA256:

D6401600320AB2C9DBDAE782250C7344FF8A7D2554B2C32C95B3882062802993

SSDEEP:

12288:7lAvdSGVaf4yLcC9wmYjuoBC2NfvhoPpMli2OwBeP+KtMtCUZLk9ACVeDse9K3+M:ZcDaf4yZwmeu0dLGw8+/p4yCEDZQOOZV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe (PID: 2872)
    • Writes to a start menu file

      • DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe (PID: 2872)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3188)
      • schtasks.exe (PID: 3580)
    • NJRAT was detected

      • RegSvcs.exe (PID: 2072)
    • Connects to CnC server

      • RegSvcs.exe (PID: 2072)
    • Uses Task Scheduler to run other applications

      • RegSvcs.exe (PID: 2072)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2828)
      • DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe (PID: 2872)
    • Creates files in the user directory

      • DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe (PID: 2872)
    • Connects to unusual port

      • RegSvcs.exe (PID: 2072)
    • Executed via Task Scheduler

      • RegSvcs.exe (PID: 3500)
      • RegSvcs.exe (PID: 1844)
      • RegSvcs.exe (PID: 1020)
      • RegSvcs.exe (PID: 3580)
      • RegSvcs.exe (PID: 3524)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe documentoenexcelcomprimidoenpdfnumeroy12343424430001 documentoenexcelcomprimidoenpdfnumeroy12343424430002 documentoenexcelcomprimidoenpdfnumeroy12343424430003.exe #NJRAT regsvcs.exe schtasks.exe no specs schtasks.exe no specs regsvcs.exe no specs regsvcs.exe no specs regsvcs.exe no specs regsvcs.exe no specs regsvcs.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\680c4dbc-0423-4ef7-a77a-cdd03da979e1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2872"C:\Users\admin\AppData\Local\Temp\Rar$EXa2828.13434\DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2828.13434\DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
2072"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
3188schtasks /Delete /tn NYAN /FC:\Windows\system32\schtasks.exeRegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3580schtasks /create /tn NYAN /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /sc minute /mo 1C:\Windows\system32\schtasks.exeRegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3500C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
3580C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
3524C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
1844C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
Total events
638
Read events
606
Write events
32
Delete events
0

Modification events

(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2828) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\680c4dbc-0423-4ef7-a77a-cdd03da979e1.rar
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2872DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BarcodeProvisioningPlugin.lnklnk
MD5:F2F9825830C2F729C28E5B6A8E1464CB
SHA256:8712435F9D5EED510EB7A0D7EFA6C4FA4A8B90D05575E60E1C70A05CAD5868F7
2828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2828.13434\DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exeexecutable
MD5:433452AC8F49096A25FC711E74B57077
SHA256:805A86D83FDBDCEE34D06C60893006168EACF83C0462128BECB69C63612E0898
2872DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430001 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430002 DOCUMENTOENEXCELCOMPRIMIDOENPDFNUMEROY12343424430003.exeC:\USER-PC\BarcodeProvisioningPlugin\AxInstUI.screxecutable
MD5:433452AC8F49096A25FC711E74B57077
SHA256:805A86D83FDBDCEE34D06C60893006168EACF83C0462128BECB69C63612E0898
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2072
RegSvcs.exe
181.58.154.33:1990
1demayo.duckdns.org
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
1demayo.duckdns.org
  • 181.58.154.33
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2072
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT/Bladabindi
2072
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT.Gen RAT outbound connection
2 ETPRO signatures available at the full report
No debug info