URL:

https://goo.gl/QN8PQH

Full analysis: https://app.any.run/tasks/a2e2ae92-2770-48f7-bc80-d1a230d34ba8
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: December 06, 2018, 07:41:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
njrat
bladabindi
Indicators:
MD5:

72C8F9D82F0E34631BEC379A4193D1AB

SHA1:

8048DE3D3A59534C23457E389BE1AC2AE67AFD54

SHA256:

E3DB87179832B4CD6B25D44DA6E7BB3987D42B22D95D620673D27AEE489FB672

SSDEEP:

3:N8rQKvJ1U:2UKzU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • chrome.exe (PID: 4016)
      • chrome.exe (PID: 3232)
      • windanr.exe (PID: 2156)
      • chrome.exe (PID: 4004)
      • chrome.exe (PID: 2672)
      • iexplore.exe (PID: 3312)
      • chrome.exe (PID: 3792)
      • chrome.exe (PID: 2216)
      • chrome.exe (PID: 4048)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1252)
      • chrome.exe (PID: 2120)
      • chrome.exe (PID: 2432)
      • iexplore.exe (PID: 1828)
      • WinRAR.exe (PID: 3040)
      • chrome.exe (PID: 3248)
      • MSBuild.exe (PID: 1964)
      • DllHost.exe (PID: 3792)
      • cmd.exe (PID: 3904)
      • DllHost.exe (PID: 3776)
      • chrome.exe (PID: 3820)
      • conhost.exe (PID: 3988)
      • timeout.exe (PID: 2600)
      • chrome.exe (PID: 2404)
      • wmiprvse.exe (PID: 2724)
      • chrome.exe (PID: 3852)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 3716)
      • conhost.exe (PID: 2412)
      • cmd.exe (PID: 364)
      • chrome.exe (PID: 2492)
      • timeout.exe (PID: 3340)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1952)
      • reg.exe (PID: 2452)
      • MSBuild.exe (PID: 2732)
      • conhost.exe (PID: 3148)
      • reg.exe (PID: 3396)
      • reg.exe (PID: 2980)
      • cmd.exe (PID: 2232)
      • MSBuild.exe (PID: 3796)
      • timeout.exe (PID: 352)

    • Application was dropped or rewritten from another process

      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1252)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 3716)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1952)

    • Writes to a start menu file

      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1252)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 3716)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1952)

    • NJRAT was detected

      • MSBuild.exe (PID: 1964)

    • Connects to CnC server

      • MSBuild.exe (PID: 1964)

  • SUSPICIOUS

    • Creates files in the user directory

      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1252)

    • Executable content was dropped or overwritten

      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1252)
      • WinRAR.exe (PID: 3040)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 3716)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1952)

    • Starts CMD.EXE for commands execution

      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1252)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 3716)
      • ACTA DE INSPECION TRIBUTRIA.exe (PID: 1952)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3904)
      • cmd.exe (PID: 364)
      • cmd.exe (PID: 2232)

    • Connects to unusual port

      • MSBuild.exe (PID: 1964)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3312)

    • Application launched itself

      • iexplore.exe (PID: 3312)
      • chrome.exe (PID: 3852)

    • Creates files in the user directory

      • iexplore.exe (PID: 1828)
      • iexplore.exe (PID: 3312)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1828)
      • chrome.exe (PID: 3852)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
39
Malicious processes
10
Suspicious processes
6

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs acta de inspecion tributria.exe cmd.exe no specs #NJRAT msbuild.exe timeout.exe no specs windanr.exe no specs Thumbnail Cache Out of Proc Server no specs Thumbnail Cache Out of Proc Server no specs conhost.exe no specs wmiprvse.exe no specs reg.exe no specs acta de inspecion tributria.exe cmd.exe no specs conhost.exe no specs msbuild.exe no specs timeout.exe no specs chrome.exe no specs acta de inspecion tributria.exe cmd.exe no specs conhost.exe no specs msbuild.exe no specs timeout.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
352timeout 10 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
364"C:\Windows\System32\cmd.exe" /c timeout 10 && reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\.atr" /ve /d exefile /fC:\Windows\System32\cmd.exeACTA DE INSPECION TRIBUTRIA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1252"C:\Users\admin\Desktop\ACTA DE INSPECION TRIBUTRIA.exe" C:\Users\admin\Desktop\ACTA DE INSPECION TRIBUTRIA.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\acta de inspecion tributria.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1828"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3312 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1952"C:\Users\admin\Desktop\ACTA DE INSPECION TRIBUTRIA.exe" C:\Users\admin\Desktop\ACTA DE INSPECION TRIBUTRIA.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\acta de inspecion tributria.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1964"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
ACTA DE INSPECION TRIBUTRIA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
2.0.50727.5420 built by: Win7SP1
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2120"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=4A7110AFD35118E1105AEA3818B0260D --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4A7110AFD35118E1105AEA3818B0260D --renderer-client-id=6 --mojo-platform-channel-handle=3576 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2156"windanr.exe"C:\Windows\system32\windanr.exeqemu-ga.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2216"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5FBA95F88D2B72E7256525AD4164AF87 --mojo-platform-channel-handle=3832 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2232"C:\Windows\System32\cmd.exe" /c timeout 10 && reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\.atr" /ve /d exefile /fC:\Windows\System32\cmd.exeACTA DE INSPECION TRIBUTRIA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
3 061
Read events
2 856
Write events
200
Delete events
5

Modification events

(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:APPSTARTING
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:ARROW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:CROSS
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HAND
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HELP
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:IBEAM
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:NO
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZEALL
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENESW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2156) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENS
Value:
%SystemRoot%\cursors\clearcur.cur
Executable files
10
Suspicious files
64
Text files
84
Unknown types
3

Dropped files

PID
Process
Filename
Type
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3312iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3852chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:
SHA256:
1828iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ErrorPageTemplate[1]text
MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
SHA256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
1828iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\background_gradient[1]image
MD5:20F0110ED5E4E0D5384A496E4880139B
SHA256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
3852chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\b00d9ba0-7222-47b1-872a-17a6f8fbdd29.tmp
MD5:
SHA256:
3852chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
1828iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\down[1]image
MD5:555E83CE7F5D280D7454AF334571FB25
SHA256:70F316A5492848BB8242D49539468830B353DDAA850964DB4E60A6D2D7DB4880
3852chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
1828iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\tools[1]image
MD5:6F20BA58551E13CFD87EC059327EFFD0
SHA256:62A7038CC42C1482D70465192318F21FC1CE0F0C737CB8804137F38A1F9D680B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
28
DNS requests
20
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3312
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3312
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1828
iexplore.exe
172.217.168.14:443
goo.gl
Google Inc.
US
whitelisted
1828
iexplore.exe
31.208.86.241:443
u.lewd.se
Bredband2 AB
SE
suspicious
3852
chrome.exe
172.217.168.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3852
chrome.exe
172.217.168.3:443
www.google.de
Google Inc.
US
whitelisted
3852
chrome.exe
216.58.215.238:443
apis.google.com
Google Inc.
US
whitelisted
3852
chrome.exe
172.217.168.36:443
www.google.com
Google Inc.
US
whitelisted
3852
chrome.exe
216.58.215.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3852
chrome.exe
172.217.168.14:443
goo.gl
Google Inc.
US
whitelisted
3852
chrome.exe
31.208.86.241:443
u.lewd.se
Bredband2 AB
SE
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
goo.gl
  • 172.217.168.14
shared
u.lewd.se
  • 31.208.86.241
shared
clientservices.googleapis.com
  • 216.58.215.227
whitelisted
www.gstatic.com
  • 216.58.215.227
whitelisted
www.google.de
  • 172.217.168.3
whitelisted
safebrowsing.googleapis.com
  • 172.217.168.10
whitelisted
accounts.google.com
  • 216.58.215.237
shared
ssl.gstatic.com
  • 216.58.215.227
whitelisted
apis.google.com
  • 216.58.215.238
whitelisted

Threats

PID
Process
Class
Message
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1964
MSBuild.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT.Gen RAT outbound connection
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://goo.gl/QN8PQH