analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.rar

Full analysis: https://app.any.run/tasks/0dbe4d17-aa95-4f03-be4d-e3eee953278e
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: April 25, 2019, 17:16:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

39F7364B33E2D41DFFDEA06B4A39DE5A

SHA1:

F01E0BA9367B2ED8C76D9029DDBBA270E4316D42

SHA256:

F4BA20CFA3D260B55A3F8FEC42ACDA144C088D200140A2F978CF3113A48020BA

SSDEEP:

196608:mA62Qzv4IxwlJoRdNYi3gFCKTdfVXFITHru2ISWxHNAi/+PHkRBzKUv+Ie:j62QdxwGz3ggOdNXKXubvAhcaUv+P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GoldFlix Checker.exe (PID: 2596)
      • GoldFlix Checker.exe (PID: 3968)
      • NetFlix GC Checker by xRisky.exe (PID: 2160)
      • winconfig.exe (PID: 3784)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3092)
      • NetFlix GC Checker by xRisky.exe (PID: 2160)
    • Writes to a start menu file

      • winconfig.exe (PID: 3784)
    • Changes the autorun value in the registry

      • winconfig.exe (PID: 3784)
    • NJRAT was detected

      • winconfig.exe (PID: 3784)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 940)
      • GoldFlix Checker.exe (PID: 2596)
      • winconfig.exe (PID: 3784)
    • Starts itself from another location

      • GoldFlix Checker.exe (PID: 2596)
    • Creates files in the Windows directory

      • GoldFlix Checker.exe (PID: 2596)
    • Creates files in the user directory

      • winconfig.exe (PID: 3784)
    • Uses NETSH.EXE for network configuration

      • winconfig.exe (PID: 3784)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs netflix gc checker by xrisky.exe no specs goldflix checker.exe no specs goldflix checker.exe #NJRAT winconfig.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3092"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2160"C:\Users\admin\Desktop\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\2018 Gift card checker\NetFlix GC Checker by xRisky.exe" C:\Users\admin\Desktop\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\2018 Gift card checker\NetFlix GC Checker by xRisky.exeexplorer.exe
User:
admin
Company:
NetFlix GC Checker by xRisky
Integrity Level:
MEDIUM
Description:
NetFlix GC Checker by xRisky
Exit code:
4294967295
Version:
1.0.0.0
3968"C:\Users\admin\Desktop\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\GoldFlix Checker.exe" C:\Users\admin\Desktop\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\GoldFlix Checker.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WindowsApplication1
Exit code:
0
Version:
1.0.0.0
2596"C:\Users\admin\Desktop\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\GoldFlix Checker.exe" C:\Users\admin\Desktop\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\GoldFlix Checker.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
WindowsApplication1
Exit code:
0
Version:
1.0.0.0
3784"C:\Windows\winconfig.exe" C:\Windows\winconfig.exe
GoldFlix Checker.exe
User:
admin
Integrity Level:
HIGH
Description:
WindowsApplication1
Version:
1.0.0.0
768netsh firewall add allowedprogram "C:\Windows\winconfig.exe" "winconfig.exe" ENABLEC:\Windows\system32\netsh.exewinconfig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 430
Read events
915
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Combo\Cards2.txt
MD5:
SHA256:
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\HQ Proxy\HQ for Netflix.url
MD5:
SHA256:
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\HQ Proxy\SOCKS 4 for netflix.txt
MD5:
SHA256:
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\2018 Gift card checker\NetFlix GC Checker by xRisky.exeexecutable
MD5:C20FE813CE74AFAAECC2963ED2F38399
SHA256:0A33AC7F5C5A236E63FF5CC404F39364D6F571601C85484C24E5B4B33B3D5B70
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\Working.PNGimage
MD5:2B25ACAA6A34EEF1AE779E6E1C69B1A5
SHA256:DE2F22F9106FA745BD831E12AAF732B9264634DD666868A264AF79C457E68F77
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\Read before use ( WHY NOT LAUNCH ).txttext
MD5:B07BBB689C7984899FA3185952426A0E
SHA256:90B509E2141815468B6A3192C6FD432A3F630B14DC4892FB7B8D7DD1819129B8
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\Youtube Tutorial.urltext
MD5:9FB855B58E65838E920535A1F85D6436
SHA256:7B7C8B236B26A90A5D3A5088725512658BDB3088AD124E38C883A8344955628F
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Combo\Cards1.txttext
MD5:E66728F8F7B9F6F748AD1D31A0CC3CAB
SHA256:C2D02BDFFF17F7D973FC2E538D8CFE37AC41FC742BB46FCF6E4D86700417056C
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\VirusTotal.txttext
MD5:50473E81C12A69B1914E45206A6C7E31
SHA256:89E9633664AD0CF1CEA8E244C632057F20572B53CDBB8311676F4A7F0DC02B4F
940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa940.12245\Cracking Netflix GiftCards\Checkers\2019- Netflix Giftcard checker ( working )\GoldFlix Checker.exeexecutable
MD5:19F1E1913D37B8698E4FC1BB350D754A
SHA256:9D9C257A3F669BABDA5BBBB3D143A7575F17BEE0425F90F80F2EF7BD807BFBC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
winconfig.exe
41.225.112.130:1411
hccr.sytes.net
GLOBALNET-AS
TN
unknown

DNS requests

Domain
IP
Reputation
hccr.sytes.net
  • 41.225.112.130
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info