File name: | 3.zip |
Full analysis: | https://app.any.run/tasks/fc0c4916-3c37-4854-8115-74762e93110f |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | May 20, 2019, 13:16:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2187AE324F7CD40746B3E73651F0F74F |
SHA1: | 5E487E3BC9AD707952535D04182DEF16ECB028E0 |
SHA256: | E13B60C09B77CB861AC82818869204D222EF9C2ED5C3F1C219CF1C1D839C8044 |
SSDEEP: | 6144:HQMBSuIDvyU0uavh6z26YzbQL/7WaDgArsb5051G0:HLEuIDvQrh60b0Lsb5Z0 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:03:20 04:41:16 |
ZipCRC: | 0xdb1bf47f |
ZipCompressedSize: | 43670 |
ZipUncompressedSize: | 119296 |
ZipFileName: | xNet.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\3.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1692 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3580 | "C:\Users\admin\Desktop\Pof Privates.exe" | C:\Users\admin\Desktop\Pof Privates.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3396 | "C:\Users\admin\AppData\Roaming\Pof Private.exe" | C:\Users\admin\AppData\Roaming\Pof Private.exe | Pof Privates.exe | |
User: admin Integrity Level: HIGH Description: Pof Private Exit code: 0 Version: 0.9 | ||||
2924 | "C:\Users\admin\AppData\Roaming\Google Chrome.exe" | C:\Users\admin\AppData\Roaming\Google Chrome.exe | Pof Privates.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3536 | "C:\Users\admin\AppData\Local\Temp\3582-490\Google Chrome.exe" | C:\Users\admin\AppData\Local\Temp\3582-490\Google Chrome.exe | Google Chrome.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3640 | "C:\Windows\svchost.com" "C:\Users\admin\AppData\Roaming\Chrome.exe" | C:\Windows\svchost.com | — | Google Chrome.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2620 | C:\Users\admin\AppData\Roaming\Chrome.exe | C:\Users\admin\AppData\Roaming\Chrome.exe | svchost.com | |
User: admin Integrity Level: HIGH | ||||
920 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\Chrome.exe" "Chrome.exe" ENABLE | C:\Windows\system32\netsh.exe | — | Chrome.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1892 | "C:\Windows\svchost.com" "C:\Windows\regedit.exe" | C:\Windows\svchost.com | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3280.23760\xNet.dll | — | |
MD5:— | SHA256:— | |||
3280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3280.23760\POF.FR-valids 2018-11-29_14_14_16.txt | — | |
MD5:— | SHA256:— | |||
3280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3280.23760\Pof Privates.exe | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Cab3764.tmp | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Tar3765.tmp | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Cab3785.tmp | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Tar3786.tmp | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Cab3797.tmp | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Tar3798.tmp | — | |
MD5:— | SHA256:— | |||
3396 | Pof Private.exe | C:\Users\admin\AppData\Local\Temp\Cab3854.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4084 | chrome.exe | GET | 302 | 172.217.22.46:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 504 b | whitelisted |
3396 | Pof Private.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.1 Kb | whitelisted |
4084 | chrome.exe | GET | 200 | 173.194.183.201:80 | http://r4---sn-aigl6nl7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=217.147.89.18&mm=28&mn=sn-aigl6nl7&ms=nvh&mt=1558358423&mv=m&pl=22&shardbypass=yes | US | crx | 842 Kb | whitelisted |
3396 | Pof Private.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt | US | der | 914 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4084 | chrome.exe | 216.58.205.238:443 | clients1.google.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 172.217.22.35:443 | www.google.com.ua | Google Inc. | US | whitelisted |
3396 | Pof Private.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4084 | chrome.exe | 172.217.22.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 172.217.16.206:443 | apis.google.com | Google Inc. | US | whitelisted |
— | — | 172.217.18.99:443 | www.gstatic.com | Google Inc. | US | whitelisted |
— | — | 172.217.22.46:80 | redirector.gvt1.com | Google Inc. | US | whitelisted |
2620 | Chrome.exe | 51.68.120.162:5552 | d3co4r.duckdns.org | — | GB | malicious |
— | — | 172.217.22.33:443 | clients2.googleusercontent.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 172.217.22.67:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
pandikeypu.000webhostapp.com |
| shared |
www.download.windowsupdate.com |
| whitelisted |
d3co4r.duckdns.org |
| malicious |
clientservices.googleapis.com |
| whitelisted |
www.google.com.ua |
| whitelisted |
accounts.google.com |
| shared |
clients1.google.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
clients2.google.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
3396 | Pof Private.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2620 | Chrome.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |
2620 | Chrome.exe | A Network Trojan was detected | ET TROJAN Bladabindi/njRAT CnC Command (ll) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2620 | Chrome.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |
2620 | Chrome.exe | A Network Trojan was detected | ET TROJAN Bladabindi/njRAT CnC Command (ll) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |