analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe

Full analysis: https://app.any.run/tasks/cbe5bb46-e398-4a12-933f-83838f6f8da8
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: December 06, 2019, 16:40:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A83FFDE060E14EE4A3BFEA275013D2DA

SHA1:

7C153606C1A9F310EC0448D1B75F0A708B3A05BB

SHA256:

DC37703613FF444AAEC996739AE7EBBF7D1A9F91DE94BA9FA8C825A05584D715

SSDEEP:

98304:tNSsz7haqrQ6MbIRrW7LAYghoQLl3FU3qPUrEvG5MkMz:TSs/rQ6MMFWvBgGiVFDUrEvOxk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • iexplore.exe (PID: 3168)
      • svchost.exe (PID: 3032)
      • java.exe (PID: 912)
    • Uses SVCHOST.EXE for hidden code execution

      • 7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe (PID: 1876)
    • Application was dropped or rewritten from another process

      • 201Server.exe (PID: 3688)
      • 534Windows Loader.exe (PID: 460)
      • 534Windows Loader.exe (PID: 1520)
      • java.exe (PID: 912)
    • Writes to a start menu file

      • java.exe (PID: 912)
    • NJRAT was detected

      • java.exe (PID: 912)
  • SUSPICIOUS

    • Starts Internet Explorer

      • 7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe (PID: 1876)
    • Executable content was dropped or overwritten

      • 7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe (PID: 1876)
      • iexplore.exe (PID: 3168)
      • 201Server.exe (PID: 3688)
      • java.exe (PID: 912)
    • Uses NETSH.EXE for network configuration

      • java.exe (PID: 912)
    • Starts itself from another location

      • 201Server.exe (PID: 3688)
    • Creates files in the user directory

      • java.exe (PID: 912)
    • Connects to unusual port

      • java.exe (PID: 912)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3168)
    • Connects to unusual port

      • iexplore.exe (PID: 3168)
    • Application was crashed

      • 534Windows Loader.exe (PID: 460)
    • Manual execution by user

      • NOTEPAD.EXE (PID: 3308)
      • explorer.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 51712
InitializedDataSize: 4096000
UninitializedDataSize: -
EntryPoint: 0xd0f4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x0000C828
0x0000CA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.24686
DATA
0x0000E000
0x00000138
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.6875
BSS
0x0000F000
0x000342D9
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00044000
0x00000F9E
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.69836
.tls
0x00045000
0x00000008
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x00046000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.24913
.reloc
0x00047000
0x00000C5C
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.2649
.rsrc
0x00048000
0x003E5D4C
0x003E5E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
7.99925

Resources

Title
Entropy
Size
Codepage
Language
Type
50
6.34492
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
51
6.34492
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
DVCLAL
4
16
Latin 1 / Western European
UNKNOWN
RT_RCDATA
PACKAGEINFO
4.69338
264
Latin 1 / Western European
UNKNOWN
RT_RCDATA
XTREME
7.96371
5008
Latin 1 / Western European
UNKNOWN
RT_RCDATA
XTREMEBINDER
7.99995
4047320
Latin 1 / Western European
UNKNOWN
RT_RCDATA
ICON_STANDARD
2.0815
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
MAINICON
2.0815
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

URLMON.DLL
advapi32.dll
kernel32.dll
ntdll.dll
oleaut32.dll
shell32.dll
shlwapi.dll
user32.dll
wininet.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start 7c153606c1a9f310ec0448d1b75f0a708b3a05bb.exe svchost.exe iexplore.exe 201server.exe 534windows loader.exe no specs 534windows loader.exe #NJRAT java.exe netsh.exe no specs explorer.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1876"C:\Users\admin\AppData\Local\Temp\7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe" C:\Users\admin\AppData\Local\Temp\7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3032svchost.exeC:\Windows\system32\svchost.exe
7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3168"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3688"C:\Users\admin\AppData\Local\Temp\201Server.exe" C:\Users\admin\AppData\Local\Temp\201Server.exe
7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1520"C:\Users\admin\AppData\Local\Temp\534Windows Loader.exe" C:\Users\admin\AppData\Local\Temp\534Windows Loader.exe7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
460"C:\Users\admin\AppData\Local\Temp\534Windows Loader.exe" C:\Users\admin\AppData\Local\Temp\534Windows Loader.exe
7C153606C1A9F310EC0448D1B75F0A708B3A05BB.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225622
912"C:\Users\admin\AppData\Local\Temp\java.exe" C:\Users\admin\AppData\Local\Temp\java.exe
201Server.exe
User:
admin
Integrity Level:
MEDIUM
1748netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\java.exe" "java.exe" ENABLEC:\Windows\system32\netsh.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3308"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ghvgh.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 151
Read events
852
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
912java.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06ba5c7dc09753cabcf8613c07afcbb1.exeexecutable
MD5:9C55F9356FA1E5ADBBD50D2613A4AD28
SHA256:27E4166B9813737F5511CEE8CE47E236F25CB33591F06AEFC34ED02A769743BB
3688201Server.exeC:\Users\admin\AppData\Local\Temp\java.exeexecutable
MD5:9C55F9356FA1E5ADBBD50D2613A4AD28
SHA256:27E4166B9813737F5511CEE8CE47E236F25CB33591F06AEFC34ED02A769743BB
18767C153606C1A9F310EC0448D1B75F0A708B3A05BB.exeC:\Users\admin\AppData\Local\Temp\534Windows Loader.exeexecutable
MD5:3D1ADF43B737ED7656F2F5CA1E592EF1
SHA256:EACED28A23727BD1FCB54A72F1501C1F96B00DD95D9D2E9C6E4D31DF7C8E9E61
3168iexplore.exeC:\Users\admin\AppData\Roaming\InstallDir\Server.exeexecutable
MD5:A83FFDE060E14EE4A3BFEA275013D2DA
SHA256:DC37703613FF444AAEC996739AE7EBBF7D1A9F91DE94BA9FA8C825A05584D715
3308NOTEPAD.EXEC:\Users\admin\Desktop\ghvgh.txttext
MD5:C2562D853B2070C5212FB71309E1F000
SHA256:922AEF461C91B39A4F7E623CDFAADEF091293FFFE51736C2E8DA50C4709069C8
18767C153606C1A9F310EC0448D1B75F0A708B3A05BB.exeC:\Users\admin\AppData\Local\Temp\201Server.exeexecutable
MD5:9C55F9356FA1E5ADBBD50D2613A4AD28
SHA256:27E4166B9813737F5511CEE8CE47E236F25CB33591F06AEFC34ED02A769743BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3168
iexplore.exe
GET
141.255.146.146:80
http://babaloo.duckdns.org/1234567890.functions
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
912
java.exe
141.255.146.146:1179
babaloo.duckdns.org
Lost Oasis SARL
NL
malicious
3168
iexplore.exe
141.255.146.146:81
babaloo.duckdns.org
Lost Oasis SARL
NL
malicious
3168
iexplore.exe
141.255.146.146:80
babaloo.duckdns.org
Lost Oasis SARL
NL
malicious

DNS requests

Domain
IP
Reputation
babaloo.duckdns.org
  • 141.255.146.146
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info