Windows Analysis Report
6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Overview

General Information

Sample name:	6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Analysis ID:	1464664
MD5:	cdbd17db2f4325747f75eba39057c3ab
SHA1:	3465a12de6e6e606da95988eba8910fda080b112
SHA256:	6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85da93f65fa8abc0c5b09
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "googledocs.duckdns.org:1316", "Campaign ID": "EaseUs", "Install Name": "6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe", "Install Dir": "Desktop"}

Multi AV Scanner detection for submitted file

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	ReversingLabs: Detection: 65%
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Virustotal: Detection: 74%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdbQckc ]c_CorDllMainmscoree.dll source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\Hacking\njrat 0.7d Private Edition\Edited Stub SRC\j\obj\Debug\Rrr.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov ecx, dword ptr [041D6EA4h]	0_2_0537342A
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_05370070
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov ecx, dword ptr [041D6E84h]	0_2_05372C78
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then jmp 05372C48h	0_2_05372782
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov eax, dword ptr [ebp-000000A8h]	0_2_05371180
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov ecx, dword ptr [041D6EA4h]	0_2_05373510
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_05370006

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49735 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49735 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49735 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49738 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49750 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49751 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53422 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53422 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53423 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53423 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53424 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53424 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53425 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:53425 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53425 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53426 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53426 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53427 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53427 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53428 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53428 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53429 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53429 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53430 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53430 -> 192.169.69.25:1316

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: googledocs.duckdns.org:1316

Uses dynamic DNS services

Source: unknown

DNS query: name: googledocs.duckdns.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox View	IP Address: 192.169.69.25 192.169.69.25

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: googledocs.duckdns.org

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000119F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI0i
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000119F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0xh
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://www.videolan.org/0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_0537342A	0_2_0537342A
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05372C78	0_2_05372C78
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05372782	0_2_05372782
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05371180	0_2_05371180
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05374DE0	0_2_05374DE0
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05370510	0_2_05370510
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05372C68	0_2_05372C68
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05370D98	0_2_05370D98

PE / OLE file has an invalid certificate

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000000.1626633923.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePicasa.exe. vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRrr.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll< vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094468912.00000000057E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIntro.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntro.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRrr.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Binary or memory string: OriginalFilenamePicasa.exe. vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Uses 32bit PE files

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@16/1

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_010DAD42 AdjustTokenPrivileges,		0_2_010DAD42
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_010DAD0B AdjustTokenPrivileges,		0_2_010DAD0B

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Mutant created: \Sessions\1\BaseNamedObjects\[RG]
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	ReversingLabs: Detection: 65%
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Virustotal: Detection: 74%

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File read: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdbQckc ]c_CorDllMainmscoree.dll source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\Hacking\njrat 0.7d Private Edition\Edited Stub SRC\j\obj\Debug\Rrr.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	.Net Code: Rya249 System.AppDomain.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	.Net Code: checkifdotnet System.Reflection.Assembly.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57e0000.2.raw.unpack, Module1.cs	.Net Code: Main System.AppDomain.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, Module1.cs	.Net Code: Main System.AppDomain.Load(byte[])

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: section name: .text entropy: 7.56568122650443

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Memory allocated: 1470000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Window / User API: threadDelayed 1839	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Window / User API: threadDelayed 8131	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Window / User API: foregroundWindowGot 1772	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe TID: 6592	Thread sleep time: -1839000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe TID: 6592	Thread sleep time: -8131000s >= -30000s			Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.0000000001236000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <add name="AspNetSqlProfileProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a

Enables debug privileges

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.25	googledocs.duckdns.org	United States		23033	WOWUS	true

Contacted Domains

Name	IP	Active
googledocs.duckdns.org	192.169.69.25	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
googledocs.duckdns.org:1316	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "googledocs.duckdns.org:1316", "Campaign ID": "EaseUs", "Install Name": "6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe", "Install Dir": "Desktop"}

Multi AV Scanner detection for submitted file

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	ReversingLabs: Detection: 65%
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Virustotal: Detection: 74%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdbQckc ]c_CorDllMainmscoree.dll source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\Hacking\njrat 0.7d Private Edition\Edited Stub SRC\j\obj\Debug\Rrr.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov ecx, dword ptr [041D6EA4h]	0_2_0537342A
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_05370070
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov ecx, dword ptr [041D6E84h]	0_2_05372C78
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then jmp 05372C48h	0_2_05372782
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov eax, dword ptr [ebp-000000A8h]	0_2_05371180
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then mov ecx, dword ptr [041D6EA4h]	0_2_05373510
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_05370006

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49735 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49735 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49735 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49738 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49750 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49751 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53422 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53422 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53423 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53423 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53424 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53424 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53425 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:53425 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53425 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53426 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53426 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53427 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53427 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53428 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53428 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53429 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53429 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53430 -> 192.169.69.25:1316
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53430 -> 192.169.69.25:1316

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: googledocs.duckdns.org:1316

Uses dynamic DNS services

Source: unknown

DNS query: name: googledocs.duckdns.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox View	IP Address: 192.169.69.25 192.169.69.25

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: googledocs.duckdns.org

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000119F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI0i
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000119F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0xh
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: http://www.videolan.org/0
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_0537342A	0_2_0537342A
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05372C78	0_2_05372C78
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05372782	0_2_05372782
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05371180	0_2_05371180
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05374DE0	0_2_05374DE0
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05370510	0_2_05370510
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05372C68	0_2_05372C68
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_05370D98	0_2_05370D98

PE / OLE file has an invalid certificate

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000000.1626633923.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePicasa.exe. vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRrr.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll< vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094468912.00000000057E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIntro.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntro.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRrr.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Binary or memory string: OriginalFilenamePicasa.exe. vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Uses 32bit PE files

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@16/1

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_010DAD42 AdjustTokenPrivileges,		0_2_010DAD42
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Code function: 0_2_010DAD0B AdjustTokenPrivileges,		0_2_010DAD0B

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Mutant created: \Sessions\1\BaseNamedObjects\[RG]
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	ReversingLabs: Detection: 65%
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Virustotal: Detection: 74%

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File read: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdbQckc ]c_CorDllMainmscoree.dll source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\Hacking\njrat 0.7d Private Edition\Edited Stub SRC\j\obj\Debug\Rrr.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	.Net Code: Rya249 System.AppDomain.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	.Net Code: checkifdotnet System.Reflection.Assembly.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57e0000.2.raw.unpack, Module1.cs	.Net Code: Main System.AppDomain.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, Module1.cs	.Net Code: Main System.AppDomain.Load(byte[])

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Static PE information: section name: .text entropy: 7.56568122650443

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Memory allocated: 1470000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Window / User API: threadDelayed 1839	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Window / User API: threadDelayed 8131	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Window / User API: foregroundWindowGot 1772	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe TID: 6592	Thread sleep time: -1839000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe TID: 6592	Thread sleep time: -8131000s >= -30000s			Jump to behavior

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.0000000001236000.00000004.00000020.00020000.00000000.sdmp

Enables debug privileges

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)

Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR

ID:	1464664
Product:	CloudBasic
Start time:	18:11:05
Start date:	29.06.2024
Sample:	6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cdbd17db2f4325747f75eba39057c3ab
SHA1:	3465a12de6e6e606da95988eba8910fda080b112
SHA256:	6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85da93f65fa8abc0c5b09
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Windows Analysis Report
6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe

Malware Threat Intel
Provided by