analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NjRat 0.7D Danger Edition.zip

Full analysis: https://app.any.run/tasks/87e2dc5d-8b7d-4f78-b861-fe4d62fe9199
Verdict: Malicious activity
Analysis date: August 08, 2020, 16:53:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B4CC9EDDC04D2AD55F6619E225B18F15

SHA1:

DE91E18E3B3A095EA1BD03D12FD4DFD3AEACDE5C

SHA256:

D7717F835E324E038BD3D6FE673286B768959BCD163C2DD9BDF9B8072881A67F

SSDEEP:

393216:zpM+xwFXeI4ejSKKEv1Wk9vydHGaY5OahBOCb:ze+5nej9KGZ9nF5OMBOs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3700)
    • Application was dropped or rewritten from another process

      • ~~NjRat 0.7D Danger Edition.exe (PID: 128)
      • ~~NjRat 0.7D Danger Edition.exe (PID: 3800)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3168)
    • Starts Internet Explorer

      • rundll32.exe (PID: 3860)
  • INFO

    • Manual execution by user

      • ~~NjRat 0.7D Danger Edition.exe (PID: 128)
      • rundll32.exe (PID: 3860)
      • ~~NjRat 0.7D Danger Edition.exe (PID: 3800)
    • Application launched itself

      • iexplore.exe (PID: 2824)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3004)
      • iexplore.exe (PID: 2824)
    • Changes internet zones settings

      • iexplore.exe (PID: 2824)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3004)
      • iexplore.exe (PID: 2824)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3004)
    • Creates files in the user directory

      • iexplore.exe (PID: 3004)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2824)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3004)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:07:19 16:06:15
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: NjRat 0.7D Danger Edition/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs ~~njrat 0.7d danger edition.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe ~~njrat 0.7d danger edition.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3168"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NjRat 0.7D Danger Edition.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3700"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
128"C:\Users\admin\Desktop\NjRat 0.7D Danger Edition\~~NjRat 0.7D Danger Edition.exe" C:\Users\admin\Desktop\NjRat 0.7D Danger Edition\~~NjRat 0.7D Danger Edition.exeexplorer.exe
User:
admin
Company:
CTRIK BY Fransesco
Integrity Level:
MEDIUM
Description:
CTRIK BY Fransesco
Exit code:
3221225758
Version:
0.0.0.7
3860"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\NjRat 0.7D Danger Edition\~~NjRat 0.7D Danger Edition.exe.ConfigC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=ConfigC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3004"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2824 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3800"C:\Users\admin\Desktop\NjRat 0.7D Danger Edition\~~NjRat 0.7D Danger Edition.exe" C:\Users\admin\Desktop\NjRat 0.7D Danger Edition\~~NjRat 0.7D Danger Edition.exeexplorer.exe
User:
admin
Company:
CTRIK BY Fransesco
Integrity Level:
MEDIUM
Description:
CTRIK BY Fransesco
Exit code:
3221225758
Version:
0.0.0.7
Total events
1 316
Read events
1 248
Write events
0
Delete events
0

Modification events

No data
Executable files
38
Suspicious files
10
Text files
10
Unknown types
2

Dropped files

PID
Process
Filename
Type
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\~~NjRat 0.7D Danger Edition.exeexecutable
MD5:EDA04645089D60F5CB602C8012A33E07
SHA256:E6CFF62A0E8E7C654EEC97093A1295773F223CD3A6A11F65C91491CFBD6BE751
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Plugin\t.dllexecutable
MD5:771C11CE7B5E13BC7415AAB054AF9E4A
SHA256:712626ED1AE9B07A876300EE93619E76834B9C2E64D724BCC1DAEF3060D6CDAF
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Plugin\1.dllexecutable
MD5:C3E8FF959A4027BC8CD67E26D3003370
SHA256:AFDA8E5FB125E27AA1062365AB4B77C4FA3ACD14A6E435AB7DDDE18644266AF3
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Plugin\red.dllexecutable
MD5:35BE497312C0FA928C92FA3E2FCA1783
SHA256:7FF23F4E452D1073547790F12070518B20BB4A305EFFEBBB90212CE141D64E84
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Settings.initext
MD5:332F4072F2109E4D81F2701C2387B186
SHA256:17F547710BF4FEFB27FF4470E0F78089C4888567EEC25380E136D9FDE1E02276
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Plugin\sc2.dllexecutable
MD5:19967E886EDCD2F22F8D4A58C8EA3773
SHA256:3E5141C75B7746C0EB2B332082A165DEACB943CEF26BD84668E6B79B47BDFD93
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Stub.manifestxml
MD5:4D18AC38A92D15A64E2B80447B025B7E
SHA256:835A00D6E7C43DB49AE7B3FA12559F23C2920B7530F4D3F960FD285B42B1EFB5
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Plugin\4.dllexecutable
MD5:621FF03775382229AFBC039EFBA07212
SHA256:D22944F50FDBE7B9FC55807EBCA0275E59A0EDE94226E2CE365BC507BC96EC68
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\Plugin\5.dllexecutable
MD5:54B06DBC99832CA8A54232351AF21059
SHA256:4B6914D1CA3C871A2E79D54BB19A7A66E207548214B215698AC3371595CECB5A
3168WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3168.49333\NjRat 0.7D Danger Edition\GeoIP.datbinary
MD5:797B96CC417D0CDE72E5C25D0898E95E
SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3004
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=Config
unknown
whitelisted
3004
iexplore.exe
GET
302
23.66.21.99:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=Config
NL
whitelisted
3004
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3004
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
iexplore.exe
23.66.21.99:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
3004
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3004
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2824
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3004
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.66.21.99
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

No threats detected
No debug info