File name: | Doc_7435.doc |
Full analysis: | https://app.any.run/tasks/7d0ad754-a303-4012-80a9-7a80f04fe058 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | July 17, 2019, 11:07:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | B8E1A1EFB94A995E7447D51541F08DE9 |
SHA1: | 2440429F66F1260F18E35DE3B7F749B746858CD1 |
SHA256: | EC21432052298640B54673391E93DF26375776F511D9CA1EFCF93FA939C2FF48 |
SSDEEP: | 768:OvyXCdJWz7zpgegbFz8Lob2GR/yapptJdRH4v:cm7gJz/BrH74v |
.rtf | | | Rich Text Format (100) |
---|
Title: | Not |
---|---|
Author: | C |
LastModifiedBy: | Windows User |
CreateDate: | 2019:06:20 00:52:00 |
ModifyDate: | 2019:06:20 00:52:00 |
RevisionNumber: | 2 |
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | - |
Characters: | 4 |
CharactersWithSpaces: | 4 |
InternalVersionNumber: | 24689 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3872 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Doc_7435.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2220 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2800 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | EQNEDT32.EXE | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2248 | C:\Users\admin\AppData\Roaming\811567.exe | C:\Users\admin\AppData\Roaming\811567.exe | EQNEDT32.EXE | |
User: admin Company: VersaVPN L.L.C Integrity Level: MEDIUM Description: VersaVPN Exit code: 0 Version: 1.0.0.5 | ||||
1464 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 811567.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2200 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | 811567.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2496 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 811567.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3116 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 811567.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3472 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | 811567.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3436 | "C:\Users\admin\AppData\Local\Temp\tmp2850.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmp2850.tmp.exe | RegAsm.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF84B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2800 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\811567.exe | — | |
MD5:— | SHA256:— | |||
3436 | tmp2850.tmp.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk | lnk | |
MD5:B9058655F58AB19BBA9BD047AD0980A8 | SHA256:CBD628CD3C0D338CD5068D84FBA8FC111018C076BD390B71AD172B8F5EC124FF | |||
3872 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0B4F87476DA447C1C656481A00718A55 | SHA256:FF80064184ACC996698EC4FC263AD99E38BB89C102D0850877D92AE369355BC4 | |||
3872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\wd32PrvSE.wmf | binary | |
MD5:C8BBD69BB58F455FD68CE82892139525 | SHA256:DA65E5D170765F586BD067BC32648B01E6FFDBBDC55FBED9DA5AAD8F5724E84B | |||
2800 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3[1].exe | executable | |
MD5:A1F0BA4951E43A05D5C05DE6E7BDF44C | SHA256:045EFFC81057CB6E8E94899EAF9B522768CFD3D81F0CBE029D1C15346961EB1D | |||
3872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$c_7435.doc | pgc | |
MD5:03EEEAE541193079E92F839D7AB1B5DF | SHA256:89977099B0B851A2B1E8C6F9E76652A09F82B72B5F045A9BC69F88792CD5E073 | |||
2248 | 811567.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.exe | executable | |
MD5:0177FE7E5A852CF74039DC757E2097E9 | SHA256:25BC5B363DD13BA2C9857681987D9BC3B477B28240CDB4F73971A0C91E78B575 | |||
2800 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@put[1].txt | text | |
MD5:A9757CD3DF7E3C9C09D7F85469DDDDA3 | SHA256:E01B6EA892F4CEC4B982BC488C501EDDDF7FA5E1AF1EB519C499BF87AED8CAEE | |||
3436 | tmp2850.tmp.exe | C:\Users\admin\AppData\Roaming\Paint.exe | executable | |
MD5:5A7F6775172FAD86EB4D448745B7F46F | SHA256:D6427D4C692BC7FE6A62EB2018075B91CC5551E794383391CD1E4D715F55550B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2200 | RegAsm.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2012 | taskeng.exe | 148.81.111.121:80 | ilo.brenz.pl | Naukowa I Akademicka Siec Komputerowa Instytut Badawczy | PL | malicious |
2012 | taskeng.exe | 93.188.2.51:443 | krogia.com | Loopia AB | SE | malicious |
2012 | taskeng.exe | 107.170.223.154:443 | addxyz.com | Digital Ocean, Inc. | US | malicious |
2800 | EQNEDT32.EXE | 104.27.143.252:443 | m.put.re | Cloudflare Inc | US | shared |
2200 | RegAsm.exe | 185.247.228.236:7707 | — | — | — | malicious |
2012 | taskeng.exe | 83.133.119.197:80 | — | euNetworks Managed Services GmbH | — | unknown |
Domain | IP | Reputation |
---|---|---|
m.put.re |
| suspicious |
pastebin.com |
| shared |
ilo.brenz.pl |
| unknown |
imjffu.com |
| unknown |
ant.trenz.pl |
| malicious |
ynoqtq.com |
| unknown |
uoemzq.com |
| unknown |
addxyz.com |
| malicious |
oeyxlh.com |
| unknown |
eismgo.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2200 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT/Bladabindi (Lime-RAT) |
— | — | A Network Trojan was detected | ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup |
2012 | taskeng.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdor.W32/Virut |
— | — | A Network Trojan was detected | ET TROJAN Known Hostile Domain ant.trenz .pl Lookup |
2012 | taskeng.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdor.W32/Virut |