Windows Analysis Report
mS9Dzx612m.exe

Overview

General Information

Sample name: mS9Dzx612m.exe
renamed because original name is a hash value
Original sample name: 9407D488CE708562EC4EAE45FAEDE739.exe
Analysis ID: 1479344
MD5: 9407d488ce708562ec4eae45faede739
SHA1: 1afb767c8161047765e0c860178f6703aa190798
SHA256: 74877604fd5801b2891e361de42ead1c0b7e1a04f4cde182bee5a30f1971eceb
Tags: exenjratRAT
Infos:

Detection

Njrat
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mS9Dzx612m.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Njrat {"Host": "seznam.zapto.org", "Port": "5050", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "76c8ec7d474b4123895"}
Multi AV Scanner detection for submitted file
Source: mS9Dzx612m.exe ReversingLabs: Detection: 60%
Yara detected Njrat
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: mS9Dzx612m.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: mS9Dzx612m.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mS9Dzx612m.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49700 -> 34.102.5.126:5050
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: seznam.zapto.org

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Keylogger.cs .Net Code: VKCodeToUnicode

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_00B188D0 0_2_00B188D0
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_00B197C0 0_2_00B197C0
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_00B1D290 0_2_00B1D290
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_025DD320 0_2_025DD320
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_025D5920 0_2_025D5920
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_025D3C68 0_2_025D3C68
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_025D8752 0_2_025D8752
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_025D383C 0_2_025D383C
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_025D6950 0_2_025D6950
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_05953BA0 0_2_05953BA0
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_05956350 0_2_05956350
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_059532B0 0_2_059532B0
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Code function: 0_2_05952F60 0_2_05952F60
Sample file is different than original file name gathered from version info
Source: mS9Dzx612m.exe, 00000000.00000002.3693713699.000000000062E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs mS9Dzx612m.exe
Source: mS9Dzx612m.exe, 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamenyan.exe4 vs mS9Dzx612m.exe
Source: mS9Dzx612m.exe, 00000000.00000002.3693424640.0000000000537000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs mS9Dzx612m.exe
Source: mS9Dzx612m.exe, 00000000.00000000.1233167583.0000000000144000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAMD VERSION.exe8 vs mS9Dzx612m.exe
Source: mS9Dzx612m.exe Binary or memory string: OriginalFilenameAMD VERSION.exe8 vs mS9Dzx612m.exe
Uses 32bit PE files
Source: mS9Dzx612m.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mS9Dzx612m.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mS9Dzx612m.exe, b.cs Cryptographic APIs: 'CreateDecryptor'
Source: mS9Dzx612m.exe, a.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Mutant created: \Sessions\1\BaseNamedObjects\76c8ec7d474b4123895
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Mutant created: NULL
Source: mS9Dzx612m.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mS9Dzx612m.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mS9Dzx612m.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: mS9Dzx612m.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: mS9Dzx612m.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: mS9Dzx612m.exe, b.cs .Net Code: a System.AppDomain.Load(byte[])
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Program.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: mS9Dzx612m.exe Static PE information: section name: .text entropy: 7.693729863412956
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Memory allocated: B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Memory allocated: 2600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Memory allocated: 2460000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Window / User API: threadDelayed 495 Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Window / User API: threadDelayed 3828 Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Window / User API: threadDelayed 5185 Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Window / User API: foregroundWindowGot 1765 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 Thread sleep count: 495 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 Thread sleep time: -495000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 8096 Thread sleep count: 3828 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 Thread sleep count: 5185 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 Thread sleep time: -5185000s >= -30000s Jump to behavior
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Program.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Keylogger.cs Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Keylogger.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager]B
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager'
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerKq
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageraB
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerAB
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageruB
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerO
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageryB
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerYB
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager7
Source: mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002667000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1B
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagereB
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager?
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager!Bg
Source: mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002667000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Queries volume information: C:\Users\user\Desktop\mS9Dzx612m.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mS9Dzx612m.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479344 Sample: mS9Dzx612m.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 92 9 seznam.zapto.org 2->9 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 6 other signatures 2->19 6 mS9Dzx612m.exe 2 2 2->6         started        signatures3 process4 dnsIp5 11 seznam.zapto.org 34.102.5.126, 49700, 5050 GOOGLEUS United States 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.5.126
 seznam.zapto.org United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
seznam.zapto.org 34.102.5.126 true