analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Duper.rar

Full analysis: https://app.any.run/tasks/0f539177-7606-4d11-99a9-b3785fedadfb
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 13:37:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8DBB460C50EB32BDCBCD3FFA7A430B2D

SHA1:

F211BAAA199F56ADE3CD4C0B2C6195968E50F3B2

SHA256:

EAAC080AA4A5074A66FA3F8D09ED8F90B2A261A7E7EE80F339892DE023AB03E2

SSDEEP:

384:FLKFQGrbgeQs/fXI+/QBKEleHMfD7i+DBHQWQlDSt9xR1LUN5OX:FGTMZs/w+/eK9Mf/fRTtx1L0OX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2940)
      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Application was dropped or rewritten from another process

      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Connects to CnC server

      • svchost.exe (PID: 2580)

    • Writes to a start menu file

      • svchost.exe (PID: 2580)

    • NJRAT was detected

      • svchost.exe (PID: 2580)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2580)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2940)
      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Checks supported languages

      • WinRAR.exe (PID: 2940)
      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2940)
      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2940)
      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Creates executable files which already exist in Windows

      • Duper.exe (PID: 2740)

    • Creates files in the user directory

      • Duper.exe (PID: 2740)
      • svchost.exe (PID: 2580)

    • Starts itself from another location

      • Duper.exe (PID: 2740)

    • Uses NETSH.EXE for network configuration

      • svchost.exe (PID: 2580)

    • Reads Environment values

      • netsh.exe (PID: 280)
      • svchost.exe (PID: 2580)

  • INFO

    • Reads the computer name

      • netsh.exe (PID: 280)

    • Checks supported languages

      • netsh.exe (PID: 280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe duper.exe #NJRAT svchost.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Duper.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2740"C:\Users\admin\AppData\Local\Temp\Rar$EXb2940.24182\Duper.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2940.24182\Duper.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2580"C:\Users\admin\AppData\Roaming\svchost.exe" C:\Users\admin\AppData\Roaming\svchost.exe
Duper.exe
User:
admin
Integrity Level:
MEDIUM
280netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLEC:\Windows\system32\netsh.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 380
Read events
3 015
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2580svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65842513b6f751e3f899870000ddeac.exeexecutable
MD5:04C2743FD4A6A4879CCBA119A4F07A8C
SHA256:F7F180024FB717FEA125689B083B149A591D2B5BA6C3B75D630827E457E3267E
2740Duper.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:04C2743FD4A6A4879CCBA119A4F07A8C
SHA256:F7F180024FB717FEA125689B083B149A591D2B5BA6C3B75D630827E457E3267E
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2940.24182\Duper.exeexecutable
MD5:04C2743FD4A6A4879CCBA119A4F07A8C
SHA256:F7F180024FB717FEA125689B083B149A591D2B5BA6C3B75D630827E457E3267E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2580
svchost.exe
193.219.117.144:7777
S.c. Glin Service Turism S.r.l.
RO
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2580
svchost.exe
A Network Trojan was detected
ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Duper.rar