File name:

fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35

Full analysis: https://app.any.run/tasks/376ea2a2-cfe6-45e8-b246-cba861e205f0
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: November 24, 2024, 05:27:36
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
njrat
rat
bladabindi
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D9C6C0FA21A4E31465B6FC7709E59DD0

SHA1:

8C97E5FAAE3CCE0E7194555FA550376C264B068D

SHA256:

FB106F8C95672B6E5D61D5CB2EE499EF3779610FD45FF85B357AC6DA7CC23F35

SSDEEP:

768:M1BZjDlBRb9rS/6SsHatnuiokbS2agD5PvHj2XXJdxIEpma:M1P5zhS9jokkgD9YX3xIEpma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NJRAT has been detected (YARA)

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

    • NjRAT is detected

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

    • NJRAT has been detected (SURICATA)

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

    • Connects to the CnC server

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

    • Connects to unusual port

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

  • INFO

    • Reads the machine GUID from the registry

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

    • Reads the computer name

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)

    • Checks supported languages

      • fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe (PID: 4012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.7)
.exe | Win32 Executable MS Visual C++ (generic) (19.4)
.exe | Win64 Executable (generic) (17.2)
.scr | Windows screen saver (8.1)
.dll | Win32 Dynamic Link Library (generic) (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:19 14:54:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 53760
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xf02e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe

Process information

PID
CMD
Path
Indicators
Parent process
4012"C:\Users\admin\Desktop\fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe" C:\Users\admin\Desktop\fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
Total events
15 129
Read events
15 119
Write events
10
Delete events
0

Modification events

(PID) Process:(4012) fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(4012) fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exeKey:HKEY_CURRENT_USER\Software\bb27684ed69cc3c1b93b1a679ff8706e
Operation:writeName:[kl]
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
93
DNS requests
31
Threats
68

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
304
23.32.238.211:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?19d50bb4a36d73e0
unknown
whitelisted
1296
svchost.exe
GET
200
23.55.161.155:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
4640
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
4640
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
4640
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
4640
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
HEAD
200
184.30.17.174:443
https://fs.microsoft.com/fs/windows/config.json
unknown
4640
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
2860
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5f2b6b6f12087c12
unknown
whitelisted
2860
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d427199d7579a766
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
884
rundll32.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
1948
OfficeC2RClient.exe
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4640
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
4640
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1296
svchost.exe
23.55.161.155:80
Akamai International B.V.
DE
unknown
5552
svchost.exe
239.255.255.250:1900
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.32.238.211:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 172.217.16.206
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.211
  • 23.32.238.208
  • 23.32.238.225
  • 23.32.238.219
  • 93.184.221.240
whitelisted
r10.o.lencr.org
  • 184.24.77.48
  • 184.24.77.54
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4012
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fb106f8c95672b6e5d61d5cb2ee499ef3779610fd45ff85b357ac6da7cc23f35