Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
njRAT.exe

Overview

General Information

Sample Name:njRAT.exe
Analysis ID:1299576
MD5:91f9995d4a2bc9ce890906439b796f29
SHA1:2b986160109af89693c732ee3c510bff248300d4
SHA256:d2e04274b842009181f6dc30792f0f15837b92e8effe06f1de08e96453ecfb32
Tags:exe
Infos:

Detection

Njrat
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Njrat
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains long sleeps (>= 3 min)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • njRAT.exe (PID: 6588 cmdline: C:\Users\user\Desktop\njRAT.exe MD5: 91F9995D4A2BC9CE890906439B796F29)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
njRAT.exenjrat1Identify njRatBrian Wallace @botnet_hunter
  • 0x9b1e:$a1: netsh firewall add allowedprogram
  • 0x9aa0:$b2: & exit
  • 0x9cda:$b2: & exit
  • 0x9a6e:$c1: md.exe /k ping 0 & del

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.223824156.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
  • 0x991e:$a1: netsh firewall add allowedprogram
  • 0x98a0:$b2: & exit
  • 0x9ada:$b2: & exit
  • 0x986e:$c1: md.exe /k ping 0 & del
Process Memory Space: njRAT.exe PID: 6588JoeSecurity_NjratYara detected NjratJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.njRAT.exe.db0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x9b1e:$a1: netsh firewall add allowedprogram
    • 0x9aa0:$b2: & exit
    • 0x9cda:$b2: & exit
    • 0x9a6e:$c1: md.exe /k ping 0 & del

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Compliance
    • Key, Mouse, Clipboard, Microphone and Screen Capturing
    • E-Banking Fraud
    • System Summary
    • Data Obfuscation
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Anti Debugging
    • HIPS / PFW / Operating System Protection Evasion
    • Stealing of Sensitive Information
    • Remote Access Functionality

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: njRAT.exeAvira: detected
    Source: njRAT.exeReversingLabs: Detection: 86%
    Source: Yara matchFile source: Process Memory Space: njRAT.exe PID: 6588, type: MEMORYSTR
    Source: njRAT.exeJoe Sandbox ML: detected
    Source: njRAT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\njRAT.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: njRAT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: njRAT.exe, kl.cs.Net Code: VKCodeToUnicode
    Source: njRAT.exe, 00000000.00000002.227821653.00000000013FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>memstr_f95b2810-0

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: Process Memory Space: njRAT.exe PID: 6588, type: MEMORYSTR

    System Summary

    barindex
    Source: njRAT.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
    Source: 0.0.njRAT.exe.db0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
    Source: 00000000.00000000.223824156.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
    Source: njRAT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: njRAT.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
    Source: 0.0.njRAT.exe.db0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
    Source: 00000000.00000000.223824156.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
    Source: njRAT.exe, 00000000.00000002.227821653.00000000013FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs njRAT.exe
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_055706180_2_05570618
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05570B1C0_2_05570B1C
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05570DDA0_2_05570DDA
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05570AC70_2_05570AC7
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_055718450_2_05571845
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_055706080_2_05570608
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_055708B00_2_055708B0
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_0557157D0_2_0557157D
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05571AFD0_2_05571AFD
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05570A390_2_05570A39
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_055707E60_2_055707E6
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05570CE10_2_05570CE1
    Source: C:\Users\user\Desktop\njRAT.exeCode function: 0_2_05570D6A0_2_05570D6A
    Source: njRAT.exeReversingLabs: Detection: 86%
    Source: njRAT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\njRAT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: njRAT.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    Source: C:\Users\user\Desktop\njRAT.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\njRAT.exe.logJump to behavior
    Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@1/1@0/0
    Source: njRAT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\njRAT.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: njRAT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: njRAT.exe, A.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exe TID: 6608Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\njRAT.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: njRAT.exe, A.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
    Source: njRAT.exe, kl.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
    Source: njRAT.exe, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Process Memory Space: njRAT.exe PID: 6588, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: Process Memory Space: njRAT.exe PID: 6588, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		Path InterceptionPath Interception1
    Masquerading    		11
    Input Capture    		21
    Virtualization/Sandbox Evasion    		Remote Services11
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory1
    System Information Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Software Packing    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1299576 Sample: njRAT.exe Startdate: 29/08/2023 Architecture: WINDOWS Score: 88 7 Malicious sample detected (through community Yara rule) 2->7 9 Antivirus / Scanner detection for submitted sample 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 5 other signatures 2->13 5 njRAT.exe 2 3 2->5         started        process3

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    njRAT.exe87%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
    njRAT.exe100%AviraTR/Agent.5587925
    njRAT.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:38.0.0 Beryl
    Analysis ID:1299576
    Start date and time:2023-08-29 18:41:35 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 2m 57s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample file name:njRAT.exe
    Detection:MAL
    Classification:mal88.troj.spyw.evad.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 15
    • Number of non-executed functions: 8
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated
    • Execution Graph export aborted for target njRAT.exe, PID 6588 because it is empty
    • VT rate limit hit for: njRAT.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\njRAT.exe.log

    Download File
    Process:C:\Users\user\Desktop\njRAT.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):525
    Entropy (8bit):5.2874233355119316
    Encrypted:false
    SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
    MD5:80EFBEC081D7836D240503C4C9465FEC
    SHA1:6AF398E08A359457083727BAF296445030A55AC3
    SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
    SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
    Malicious:false
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):5.553190395444543
    TrID:
    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    • Win32 Executable (generic) a (10002005/4) 49.75%
    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
    • Windows Screen Saver (13104/52) 0.07%
    • Generic Win/DOS Executable (2004/3) 0.01%
    File name:njRAT.exe
    File size:44'544 bytes
    MD5:91f9995d4a2bc9ce890906439b796f29
    SHA1:2b986160109af89693c732ee3c510bff248300d4
    SHA256:d2e04274b842009181f6dc30792f0f15837b92e8effe06f1de08e96453ecfb32
    SHA512:71e784608e9d93fa865aa7562f95ee68a69de2e0241b802e8f64c0e498da4f4c2930390f102c9006680e094b8272d81acff448321855becd509b5e5f31d21056
    SSDEEP:768:wiIoVL8OfetlSK4owTrq9GTN2JE5C1X6HsjHaHqvt71I7dL1MnbN1cHIHCCjPkaU:lWG4dukLfa8bNHCCrk
    TLSH:7213D68F63944B32C2BCABB94512E7195BF1B3870D53C39D0CEC84DA1F7AA44998B1D2
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.d................................. ........@.. ....................... ............@................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x40c4de
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0x64DA3EE4 [Mon Aug 14 14:49:08 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
    Instruction
    jmp dword ptr [00402000h]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xc4900x4b.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x400.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000xa4e40xa600False0.41050922439759036data5.640350748765772IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0xe0000x4000x400False0.3017578125data3.5160679793070893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x100000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_MANIFEST0xe0580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
    DLLImport
    mscoree.dll_CorExeMain

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    0246s020406080100

    Click to jump to process

    Memory Usage

    0246s0.0051015MB

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:18:42:35
    Start date:29/08/2023
    Path:C:\Users\user\Desktop\njRAT.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\njRAT.exe
    Imagebase:0xdb0000
    File size:44'544 bytes
    MD5 hash:91F9995D4A2BC9CE890906439B796F29
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Yara matches:
    • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.223824156.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Disassembly

    Executed Functions

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID: "$X1k
    • API String ID: 0-1376402439
    • Opcode ID: 110f9ff56dff9a5c31344564dc91ab998c308efe8acfa00f7953be2a511753dd
    • Instruction ID: 8044415c30485f7bdca847edf9e5054d46a73b2c6effa0af65ce9ff12a41a5ec
    • Opcode Fuzzy Hash: 110f9ff56dff9a5c31344564dc91ab998c308efe8acfa00f7953be2a511753dd
    • Instruction Fuzzy Hash: C1F2D030B002189BDB24DB75D855B6EB7E3BF88308F1085A8D50AAF391DF799D85CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID: X1k
    • API String ID: 0-105593449
    • Opcode ID: 901adb4391cc06c88a03b92b3e8887814eb1ed101439da5ac63036f2f3962a2b
    • Instruction ID: 18ad0ece78a03a46cc5a7c381e20b6b7419073d9c60adbb096ff57c8700521d3
    • Opcode Fuzzy Hash: 901adb4391cc06c88a03b92b3e8887814eb1ed101439da5ac63036f2f3962a2b
    • Instruction Fuzzy Hash: D472BC30B002189BEB24DB35D845B6EB7E3BF84308F14C5A9D50AAF391DB799C85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID: X1k
    • API String ID: 0-105593449
    • Opcode ID: 5c046828f8a46928bea9addc1d29e99b8c901ee17f82e5a5ef96560c4f96edfd
    • Instruction ID: 14f6786aeb3dc4dc92550272e1f96ce5d7986e7ba977eb0b7173bcbe712548f6
    • Opcode Fuzzy Hash: 5c046828f8a46928bea9addc1d29e99b8c901ee17f82e5a5ef96560c4f96edfd
    • Instruction Fuzzy Hash: 2152BD30B002189BDB24DB35D845B6EB7E3BF84308F14C5A9D50AAF391DB799D81CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID: "
    • API String ID: 0-123907689
    • Opcode ID: 1b4ad679e24cfdad2c7d976352ceeadb269a8ae55a45e18f626e42da758cbecb
    • Instruction ID: 344e4d0f55db89a3d8e48c2d76002d91e538eccef52ff053638fa60bd40b78bf
    • Opcode Fuzzy Hash: 1b4ad679e24cfdad2c7d976352ceeadb269a8ae55a45e18f626e42da758cbecb
    • Instruction Fuzzy Hash: EA32D270B002149BDB28DB75D895B6EB7E3BF88308F1481A8D509AF391EF799D41CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f635dabb0be057d22f2d85464b83b6a9ac2cc7a659f41c03ceda865838afb625
    • Instruction ID: eb7c78c0740929b7773604bab5299aab93ec395bf676b727412fd8b4c7749427
    • Opcode Fuzzy Hash: f635dabb0be057d22f2d85464b83b6a9ac2cc7a659f41c03ceda865838afb625
    • Instruction Fuzzy Hash: 7342BC30B002188BDB24DB35D845B6EB7E3BF84308F14C5A9D50AAF391DB799D85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: db818554db23adb6d74b6e08c88953c34737801dcc31b820a10b659037839d5e
    • Instruction ID: 4284cbf76ea403ae64c046254a07df5e0b7db9ac2bc12f52b6da4900ade120fa
    • Opcode Fuzzy Hash: db818554db23adb6d74b6e08c88953c34737801dcc31b820a10b659037839d5e
    • Instruction Fuzzy Hash: 39C12120A10309C5C7389B14E49816DBBE2FF46308B64565EC1264EBB6E7B5E5C8CFCE
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 290f14c285dc32453fa94b53a74b835b30f11337e0e2172148ed20d3fd3eea4a
    • Instruction ID: 04ec61135c898e27d2c9ebf79e5b2da137856dafac95d888230b1b0e17f4208e
    • Opcode Fuzzy Hash: 290f14c285dc32453fa94b53a74b835b30f11337e0e2172148ed20d3fd3eea4a
    • Instruction Fuzzy Hash: 46B10120A10309C5D7389B14E49C16DBAE2FF46308B64565EC1264EBB6E7B5E5C8CFCE
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dfc24d8eaea1107246f27ce9e322c8c37db24a49f9ce3f704a8dd3b6bb5f7f2b
    • Instruction ID: e000a04959ff8f8c4eb84cd59d921d9b9d60cffb0c42ddd4391d1ffbbad74989
    • Opcode Fuzzy Hash: dfc24d8eaea1107246f27ce9e322c8c37db24a49f9ce3f704a8dd3b6bb5f7f2b
    • Instruction Fuzzy Hash: EB61F334B002049BDB289B75996577EA6E3BF85304F14C1B9C106AF381EF799C89C395
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f820a84ec98abf1f8cec882a18ffc2f2ac8e949c0e15cc2e7f496cb65dd81939
    • Instruction ID: 29ac914153e094bb532ac026790c97b596dff7905d775349c16d9456a47d3030
    • Opcode Fuzzy Hash: f820a84ec98abf1f8cec882a18ffc2f2ac8e949c0e15cc2e7f496cb65dd81939
    • Instruction Fuzzy Hash: 6651E334B003049BDB288B75995577EB6E3BF85304F24C1BDD106AF391EB799889C395
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1087d209587c6904d19e9366621d19ce27e2dde0df1bdfff882a089a33000b3c
    • Instruction ID: 4d3c94db0076bf0cd117222aaca1a98d9ee2fd9ef118c159d8089a7e130ffc2e
    • Opcode Fuzzy Hash: 1087d209587c6904d19e9366621d19ce27e2dde0df1bdfff882a089a33000b3c
    • Instruction Fuzzy Hash: E241D975B002046BEB24DB75989577FB6E3ABD8204F158038D60AAF3D0DF79AC0583A4
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9392c9cf3aec59816630c7d7efb49a59d7e1fb438af96cd742ba92c0d77d71fd
    • Instruction ID: 2b3e61283fce9d27ae17a8cd1530629361da01e7ceb7dbf40142d27e366e8a8b
    • Opcode Fuzzy Hash: 9392c9cf3aec59816630c7d7efb49a59d7e1fb438af96cd742ba92c0d77d71fd
    • Instruction Fuzzy Hash: 1E41B675B002046BEB24DB75985577FB6E3ABD8304F148439D509EB390DE799C0587A4
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7acbfe587c292fd6ff4feec15b6546e17ef484a65257ab8e0fd08c5dea1f09ad
    • Instruction ID: 97ba0950a25fa30d49709b827f6af878616fb16b309736844d18c66758a48f52
    • Opcode Fuzzy Hash: 7acbfe587c292fd6ff4feec15b6546e17ef484a65257ab8e0fd08c5dea1f09ad
    • Instruction Fuzzy Hash: 2011172518E3C08FC3034774AC215A93FB5AE8721874B00DBD4C1CB2B3C618484AD722
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228042991.0000000002FC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2fc0000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b53d949b97db6624578529bc361a226f896abedaf27cb60155f263ac44cad2b2
    • Instruction ID: 722c22948730989d5220e26a2c69e01598daa49d5387ac2787eb33fb7061c7cd
    • Opcode Fuzzy Hash: b53d949b97db6624578529bc361a226f896abedaf27cb60155f263ac44cad2b2
    • Instruction Fuzzy Hash: 7801F9754097805FC3118F16EC40893FFF8EF8633071984ABEC898B712D225B91ACBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228042991.0000000002FC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2fc0000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e047b67fb1cd656a28e0b1e34225c827d62f2f0eb0fe2365fec0f0daa9345458
    • Instruction ID: 37f295ac7c7f8ffd26310cdb8f7552030d7490a8c54eb1f145142631f558c5b8
    • Opcode Fuzzy Hash: e047b67fb1cd656a28e0b1e34225c827d62f2f0eb0fe2365fec0f0daa9345458
    • Instruction Fuzzy Hash: FAE092766006004B9650CF0BEC454A2F7D8EB84730718C47FDC0D8BB01D235B508CEA5
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c673f400594d60f83634a5c2bc14afb1af466d63f40390661307f511fb57908e
    • Instruction ID: 7d2a65c51d67246ae21d73d23f06b9d0281263ce3717b48b04ce2c4d275b790d
    • Opcode Fuzzy Hash: c673f400594d60f83634a5c2bc14afb1af466d63f40390661307f511fb57908e
    • Instruction Fuzzy Hash: 6BC08C39300524A7CA1637EC70180AEBB9EFA8976A7840015E60BD3340CF151C0043EA
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a271338e81db3874c2e05afe02119f89ea3fb7c24c735bcd794c4dc34c8c5ed1
    • Instruction ID: f40f680dd7029e8d00e05596963d39799bd163529c1581afe628b19626f4846c
    • Opcode Fuzzy Hash: a271338e81db3874c2e05afe02119f89ea3fb7c24c735bcd794c4dc34c8c5ed1
    • Instruction Fuzzy Hash: 2C42CF30B002189BDB24DB35D844B6EB6E3BF84308F14C5A9D50AAF391DF799D85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f60e3c623ab89f1bfed311366cefc814f9a3ec2939e6c798ab6e75ab1f8ada10
    • Instruction ID: 780a7d74fcf9d1f8df204caedd81305b29092f8e03566326a5e261065fb67705
    • Opcode Fuzzy Hash: f60e3c623ab89f1bfed311366cefc814f9a3ec2939e6c798ab6e75ab1f8ada10
    • Instruction Fuzzy Hash: 1632DF30B002189BDB24DB35C844B6EB6E3BF88308F14C5A8D50AAF391DF799D85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: be6f160cee4ca01b4cb485d8b87d7e3e7e40a8398e575c8e78b1f53db7c790e6
    • Instruction ID: de299a8f1e7e5f4ff9ebdfd9ca47e7ad3e00580ccc7de766b31569c280233b3a
    • Opcode Fuzzy Hash: be6f160cee4ca01b4cb485d8b87d7e3e7e40a8398e575c8e78b1f53db7c790e6
    • Instruction Fuzzy Hash: 4332DF70B002189BDB24DB35D844B6EB6E3BF88308F14C5A8D50AAF391DF799D85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3b9eb59777cf4eae0f866bc19a40b621d5b8fca8f6fbb7b4b8a9dffa9c718863
    • Instruction ID: d9bf7ddb1144a11d82830cf732f670068b9a1372182f9bec3d6de971000efc7f
    • Opcode Fuzzy Hash: 3b9eb59777cf4eae0f866bc19a40b621d5b8fca8f6fbb7b4b8a9dffa9c718863
    • Instruction Fuzzy Hash: 7112E130B006189BDB24DB35D854B6EB6E3BF88304F14C5A8D10AAF391DF799D85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 20c91febf10d12082502abb832da55b126e66bc8b6dc74a173291e9b3c64774c
    • Instruction ID: 00a910bf7593cac663200bf55dc3ed7a201f30dfe904ec919f33dd2a439d6c33
    • Opcode Fuzzy Hash: 20c91febf10d12082502abb832da55b126e66bc8b6dc74a173291e9b3c64774c
    • Instruction Fuzzy Hash: FD02E230B006199BDB24DB35D854B6EB6E3BF84308F14C5A8D10AAF391EF799C85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8f61378bb3506fd8d372526a9562ccdb2e6a0e24d6971be9c94ef4d856d044fd
    • Instruction ID: f1631fe47478433d7b53e40bdcddb0d50db5a208c50df5c3fd79031541d2ba52
    • Opcode Fuzzy Hash: 8f61378bb3506fd8d372526a9562ccdb2e6a0e24d6971be9c94ef4d856d044fd
    • Instruction Fuzzy Hash: F602F230B006199BEB24DB35D854B6EB6E3BF84308F14C5A8D10AAF391DF799C85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7968483cb9e97f538db19f89b6c05aefd8a722c5f2d3104057d72a36a9b343fa
    • Instruction ID: 8091b1c2b2d75567a4c005fca26dee3d384998d8f3e774517c0ae6c03127a222
    • Opcode Fuzzy Hash: 7968483cb9e97f538db19f89b6c05aefd8a722c5f2d3104057d72a36a9b343fa
    • Instruction Fuzzy Hash: 7802E230B006199BEB24DB35D854B6EB6E3BF84308F14C5A8D10AAF391DF799C85CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.228147325.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5570000_njRAT.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 22c9d8aca14a52a47daa4e25e4fd2f7fbe35b29283a95acba0d2dd9315a00631
    • Instruction ID: 4d33294095b71e59f5a9ad2adbee6f2f62233d8d6fe917ae181d9cc43f22bc15
    • Opcode Fuzzy Hash: 22c9d8aca14a52a47daa4e25e4fd2f7fbe35b29283a95acba0d2dd9315a00631
    • Instruction Fuzzy Hash: EDF1F270B006149BDB28DB75D855B6EB7E3BF84308F1480A8D6099F391DF79AD85CB82
    Uniqueness

    Uniqueness Score: -1.00%