File name:

Usb Evil Injector.rar

Full analysis: https://app.any.run/tasks/bf7818d6-268c-4be3-86ba-c3d803e7066b
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: February 15, 2024, 14:19:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B0AC3F0A62674F1F43E0264C9FECB96A

SHA1:

47526AC5666057A416A2B3A1A85C2A0CCDCAD429

SHA256:

E8FECD2A703A6FA2006985F49D7B947EDE4A506A27C9FF834AF4C1C439AD2A2C

SSDEEP:

49152:ZpYxROZ86PAkHsmcv0eYTuJHwdWJH/b2ZMGCMVRStuwr0tmQkxnBkdgAEEJc53/C:ZpYi+YAkmFYTuJQdWJfbNGCMmcDtYxn6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3536)
      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)
      • Tomvpns.exe (PID: 3488)

    • Creates a writable file in the system directory

      • Usb Evil Injector.exe (PID: 3956)

    • NjRAT is detected

      • UsbEvil.exe (PID: 3964)
      • Tomvpns.exe (PID: 3488)

    • Changes the autorun value in the registry

      • Tomvpns.exe (PID: 3488)

    • Create files in the Startup directory

      • Tomvpns.exe (PID: 3488)

    • NJRAT has been detected (YARA)

      • Tomvpns.exe (PID: 3488)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)
      • Tomvpns.exe (PID: 3488)

    • Reads the Internet Settings

      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)

    • Creates a software uninstall entry

      • Usb Evil Injector.exe (PID: 3956)

    • Reads security settings of Internet Explorer

      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)

    • Starts itself from another location

      • UsbEvil.exe (PID: 3964)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Tomvpns.exe (PID: 3488)

  • INFO

    • Checks supported languages

      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)
      • Usb Evil Injector.exe (PID: 3684)
      • Tomvpns.exe (PID: 3488)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3536)

    • Manual execution by a user

      • Usb Evil Injector.exe (PID: 1876)
      • Usb Evil Injector.exe (PID: 3956)

    • Reads the computer name

      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)
      • Usb Evil Injector.exe (PID: 3684)
      • Tomvpns.exe (PID: 3488)

    • Create files in a temporary directory

      • Usb Evil Injector.exe (PID: 3956)
      • UsbEvil.exe (PID: 3964)

    • Creates files in the program directory

      • Usb Evil Injector.exe (PID: 3956)

    • Reads the machine GUID from the registry

      • UsbEvil.exe (PID: 3964)
      • Usb Evil Injector.exe (PID: 3684)
      • Tomvpns.exe (PID: 3488)

    • Creates files or folders in the user directory

      • Tomvpns.exe (PID: 3488)

    • Reads Environment values

      • Tomvpns.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(3488) Tomvpns.exe
C2ffy643dfxvtesdyekyg.ddns.net
Ports6060
BotnetLogiin
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\b02cdad74057151abb2f867067ec6571
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe usb evil injector.exe no specs usb evil injector.exe #NJRAT usbevil.exe #NJRAT tomvpns.exe usb evil injector.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1876"C:\Users\admin\Desktop\Usb Evil Injector\Usb Evil Injector.exe" C:\Users\admin\Desktop\Usb Evil Injector\Usb Evil Injector.exeexplorer.exe
User:
admin
Company:
CloudEng
Integrity Level:
MEDIUM
Description:
Usb Evil Injector V 1.0 Installation
Exit code:
3221226540
Version:
V 1.0
Modules
Images
c:\users\admin\desktop\usb evil injector\usb evil injector.exe
c:\windows\system32\ntdll.dll
3068netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\Tomvpns.exe" "Tomvpns.exe" ENABLEC:\Windows\System32\netsh.exeTomvpns.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3488"C:\Users\admin\AppData\Local\Temp\Tomvpns.exe" C:\Users\admin\AppData\Local\Temp\Tomvpns.exe
UsbEvil.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tomvpns.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
NjRat
(PID) Process(3488) Tomvpns.exe
C2ffy643dfxvtesdyekyg.ddns.net
Ports6060
BotnetLogiin
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\b02cdad74057151abb2f867067ec6571
Splitter|'|'|
Version0.7d
3536"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Usb Evil Injector.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3684"C:\Windows\system32\Usb Evil Injector.exe"C:\Windows\System32\Usb Evil Injector.exeUsb Evil Injector.exe
User:
admin
Integrity Level:
HIGH
Description:
Usb Evil Injector
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\usb evil injector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3956"C:\Users\admin\Desktop\Usb Evil Injector\Usb Evil Injector.exe" C:\Users\admin\Desktop\Usb Evil Injector\Usb Evil Injector.exe
explorer.exe
User:
admin
Company:
CloudEng
Integrity Level:
HIGH
Description:
Usb Evil Injector V 1.0 Installation
Exit code:
0
Version:
V 1.0
Modules
Images
c:\users\admin\desktop\usb evil injector\usb evil injector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3964"C:\Windows\system32\UsbEvil.exe" C:\Windows\System32\UsbEvil.exe
Usb Evil Injector.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\usbevil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
8 461
Read events
8 315
Write events
146
Delete events
0

Modification events

(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3536) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Usb Evil Injector.rar
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3536) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3956Usb Evil Injector.exeC:\Users\admin\AppData\Local\Temp\$inst\8.tmpimage
MD5:CDFB00BA27DDC4F0649BB274BCE55774
SHA256:00A49EEBE20548DE2AA3DE3594B323D689E6467CBB63A4791604F4F82FE7360F
3956Usb Evil Injector.exeC:\Users\admin\AppData\Local\Temp\$inst\7.tmpimage
MD5:420AEE57B5E083D256D28E45EF887ADB
SHA256:1EFB1A8831F68B443A3E3A06599E914162DC1A9B1B8F9EBC8020B40B72BBFB80
3956Usb Evil Injector.exeC:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmpcompressed
MD5:2A87B74A3EFDF116B71EA40069716B11
SHA256:377A2BB2FD50D355AE0A6E835C59B4DAD616E02CA55C87863B40868A20405FF6
3956Usb Evil Injector.exeC:\Users\admin\AppData\Local\Temp\$inst\2.tmpcompressed
MD5:3FE79F88FA55891C59DF7AA34C210C11
SHA256:675258D7B0484FFC77BD2D260FA328E49EE9D13F699435B691CBF114BFA339C7
3536WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3536.25640\Usb Evil Injector\Usb Evil Injector.exeexecutable
MD5:6EA7B17DA22670191DFD39F0AFC3D0D2
SHA256:4551F776A0069B087192A3D07BCA8B171EEEF6999FBDA54B05592B6DF0243E2F
3956Usb Evil Injector.exeC:\Windows\system32\Usb Evil Injector.exeexecutable
MD5:8C6A2858649CD608A5DD0B8177811EA6
SHA256:5CD8AF351808ED8F03906CCB0573F6F187DCDF65468F29CDB53533C523CA837C
3956Usb Evil Injector.exeC:\Program Files\CloudEng\Usb Evil Injector\Uninstall.iniini
MD5:A24B096888CE57E04AD99543BDA54EE7
SHA256:0888AC676CFA41EB2527CB651405087E45F49E9AA175263D6DB19FC8EB10FDDF
3956Usb Evil Injector.exeC:\Users\admin\Desktop\Usb Evil Injector.lnklnk
MD5:F52F78C9DBF09E5A0D26B3C6385965FF
SHA256:A096623794467778B5710205EF090AD850F64558C4293DD2F4DE6010691048BE
3956Usb Evil Injector.exeC:\Windows\system32\UsbEvil.exeexecutable
MD5:A1EA927974B2DD367EAFEA235461D9FA
SHA256:8973727793686D03E836DE462993A97020F01E2D213D60B2B01DE75BC2BD83D0
3956Usb Evil Injector.exeC:\Users\admin\AppData\Local\Temp\$inst\5.tmpimage
MD5:AB2021E67E0E08657288D880ABFBAA72
SHA256:331D997E586CBA40D4DA0587887FC4CAA4CC44E53421737DAFA67E67445E6753
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
ffy643dfxvtesdyekyg.ddns.net
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Usb Evil Injector.rar