analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Minecraft Checker v2.rar

Full analysis: https://app.any.run/tasks/604c53ec-4080-4479-b860-ca1428378942
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 10:09:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AFB5323189D4BCCE9B48F23B753531DD

SHA1:

4C312764C14100B88A92BE61ABBF396AD553F9F2

SHA256:

EC959907F0F8959D388C24F9B0ED2478159F0F1F4E6DE75F31A5A5EC9DEB925D

SSDEEP:

6144:lu/MIeXU/Iw8c7/p6RxT6iB7W9j8DfFSXAXg6YuffWqgpr3b4ZXKl4d01sxaULi3:l/IeXAtIT6ip+QwyuqgpDEZXS4dMmLi3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Minecraft Checker.exe (PID: 3396)
      • VIP72.exe (PID: 3132)

    • Changes the autorun value in the registry

      • VIP72.exe (PID: 3132)

    • NJRAT was detected

      • VIP72.exe (PID: 3132)

    • Writes to a start menu file

      • VIP72.exe (PID: 3132)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2520)
      • Minecraft Checker.exe (PID: 3396)
      • VIP72.exe (PID: 3132)

    • Creates files in the user directory

      • Minecraft Checker.exe (PID: 3396)
      • VIP72.exe (PID: 3132)

    • Starts itself from another location

      • Minecraft Checker.exe (PID: 3396)

    • Uses NETSH.EXE for network configuration

      • VIP72.exe (PID: 3132)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe minecraft checker.exe #NJRAT vip72.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Minecraft Checker v2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3396"C:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\Minecraft Checker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\Minecraft Checker.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3132"C:\Users\admin\AppData\Roaming\VIP72.exe" C:\Users\admin\AppData\Roaming\VIP72.exe
Minecraft Checker.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
3108netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\VIP72.exe" "VIP72.exe" ENABLEC:\Windows\system32\netsh.exeVIP72.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
909
Read events
825
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\pdbz.datbinary
MD5:7FEEBFE4084A0F1F870C634E6643C077
SHA256:2672FE280A9541E9E3C288AEC1C8072809DAED3E77DB4F9F95A49E279DFE0BDC
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\Minecraft Checker.exeexecutable
MD5:6DC20E39D9A976EBF6B50F23626616BF
SHA256:DF6F35647AE151FD2ADC8E042F6A8D70E489B812057436DF2639CFE427C003E8
3396Minecraft Checker.exeC:\Users\admin\AppData\Roaming\VIP72.exeexecutable
MD5:6DC20E39D9A976EBF6B50F23626616BF
SHA256:DF6F35647AE151FD2ADC8E042F6A8D70E489B812057436DF2639CFE427C003E8
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\Read before using.txttext
MD5:37C2BB6B29E924F13E28E1D00896088A
SHA256:2F2958D1A7334C6B43777311A8C6D3C08107D9418394267F5627A798412C0106
3132VIP72.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63951ff13995ee572862321383fecced.exeexecutable
MD5:6DC20E39D9A976EBF6B50F23626616BF
SHA256:DF6F35647AE151FD2ADC8E042F6A8D70E489B812057436DF2639CFE427C003E8
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\MetroSuite 2.0.dllexecutable
MD5:0D30A398CEC0FF006B6EA2B52D11E744
SHA256:8604BF2A1FE2E94DC1EA1FBD0CF54E77303493B93994DF48479DC683580AA654
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\Qoollo.Turbo.dllexecutable
MD5:4E8246DF4EE956EC273C4BAA2054593C
SHA256:1172732FD0FE6B679F5C6BF750598133DC815622C55EF1FA84087087BF42B495
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2520.43489\Minecraft Checker v2\xNet.dllexecutable
MD5:158DEFD55A804AA8D4D67BFDF7A4AF9C
SHA256:6C7EC4CC31A2CE0B97703B7A42E3448E9B87D96DDA12761CA24D8787AC27CFF1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3132
VIP72.exe
3.134.252.206:2255
recreciptor.hopto.org
US
malicious

DNS requests

Domain
IP
Reputation
recreciptor.hopto.org
  • 3.134.252.206
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Minecraft Checker v2.rar