download: | Heart-Sender-V1.2_1.zip |
Full analysis: | https://app.any.run/tasks/7cf49cf8-e808-441d-ae04-a60913a5a4da |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | February 22, 2020, 02:30:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 483F2CA873DEA94669CE1707335D84EE |
SHA1: | 4D8C52F9C4C0C5F30795994D292A48D2B58B635D |
SHA256: | E1AC482B2273160DB19FA01F800F1358B49C22998B829E87B1F460EB5B86B543 |
SSDEEP: | 12288:/KkGX3wLOhAi8csBbucu5laA+ehdXSfNDtZbxuKOs2GkI93FEZx:/5GX3wA6cebgyA+e7XSFlu5sddS7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | logs/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:02:20 13:17:15 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Heart-Sender-V1.2_1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1544 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.18633\Heart-Sender-V1.2.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.18633\Heart-Sender-V1.2.exe | — | WinRAR.exe |
User: admin Company: HeartFamily Integrity Level: MEDIUM Description: Heart Sender V1 Exit code: 0 Version: 1.0.0.0 | ||||
3604 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.20303\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.20303\setup.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2248 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.20303\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.20303\setup.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
580 | "C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe" | C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe | setup.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3392 | "C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe" | C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe | Windows Network.exe | |
User: admin Integrity Level: HIGH | ||||
2564 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe" "Windows Network.exe" ENABLE | C:\Windows\system32\netsh.exe | — | Windows Network.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2956 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.22972\Heart-Sender-V1.2.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.22972\Heart-Sender-V1.2.exe | — | WinRAR.exe |
User: admin Company: HeartFamily Integrity Level: MEDIUM Description: Heart Sender V1 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2248 | setup.exe | C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
3392 | Windows Network.exe | C:\Users\admin\AppData\Local\Temp\FransescoPast.txt | text | |
MD5:999B8E36DD8728EFB1C5846A50106F59 | SHA256:CF8273FE85EF2985623E89A0DAD31A75527139C89C77D3D4308CC6A8A3698783 | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.20303\Settings.ini | text | |
MD5:41679E215270290E80D2264E5335AA18 | SHA256:A2D5E22F98B7E97D90D7F2BBB0FB514B3951D0FFA9F4E87537BF1BAAFB5311E7 | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.18633\setup.exe | executable | |
MD5:A323D08293166506A9BA81A953ECD156 | SHA256:93A044F25C84FE757C1ED0AD5D7D75AB42BF6BBAC393AE3CCD78649A1183DA89 | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.18633\Settings.ini | text | |
MD5:41679E215270290E80D2264E5335AA18 | SHA256:A2D5E22F98B7E97D90D7F2BBB0FB514B3951D0FFA9F4E87537BF1BAAFB5311E7 | |||
2248 | setup.exe | C:\Users\admin\AppData\Roaming\Windows Network\Windows Network.exe | executable | |
MD5:A323D08293166506A9BA81A953ECD156 | SHA256:93A044F25C84FE757C1ED0AD5D7D75AB42BF6BBAC393AE3CCD78649A1183DA89 | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.22972\Settings.ini | text | |
MD5:41679E215270290E80D2264E5335AA18 | SHA256:A2D5E22F98B7E97D90D7F2BBB0FB514B3951D0FFA9F4E87537BF1BAAFB5311E7 | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.20303\setup.exe | executable | |
MD5:A323D08293166506A9BA81A953ECD156 | SHA256:93A044F25C84FE757C1ED0AD5D7D75AB42BF6BBAC393AE3CCD78649A1183DA89 | |||
580 | Windows Network.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Network.vbs | text | |
MD5:63E83CAC146354F1B2660FB3C533B22C | SHA256:E295DFCD2A515D4631A86E132996E0929DAA03EAA6863C798806C5DC1491231F | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.22972\setup.exe | executable | |
MD5:A323D08293166506A9BA81A953ECD156 | SHA256:93A044F25C84FE757C1ED0AD5D7D75AB42BF6BBAC393AE3CCD78649A1183DA89 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3392 | Windows Network.exe | 18.188.14.65:13732 | 0.tcp.ngrok.io | — | US | shared |
Domain | IP | Reputation |
---|---|---|
0.tcp.ngrok.io |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |
3392 | Windows Network.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT/Bladabindi |
3392 | Windows Network.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |