Edit tour
Windows
Analysis Report
LisectAVT_2403002A_473.exe
Overview
General Information
Detection
Njrat, XWorm
Score: | 90 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected MSILDownloaderGeneric
Yara detected Njrat
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the user root directory
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Opens the same file many times (likely Sandbox evasion)
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Explorer Process Tree Break
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- LisectAVT_2403002A_473.exe (PID: 5604 cmdline:
"C:\Users\ user\Deskt op\LisectA VT_2403002 A_473.exe" MD5: F256345478D00E975E7C0987FA05F63E) - LocalM_d_cKXRrV.exe (PID: 4932 cmdline:
"C:\Users\ user\AppDa ta\LocalM_ d_cKXRrV.e xe" MD5: D9008A8A000519606DFEFFA4534EBEA6) - server.exe (PID: 7316 cmdline:
"C:\Users\ user\serve r.exe" MD5: D9008A8A000519606DFEFFA4534EBEA6) - netsh.exe (PID: 7468 cmdline:
netsh fire wall add a llowedprog ram "C:\Us ers\user\s erver.exe" "server.e xe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 7484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - LocalylmNBbjoFA.exe (PID: 6520 cmdline:
"C:\Users\ user\AppDa ta\Localyl mNBbjoFA.e xe" MD5: A564D608712A46330CB0EAD21BE9EBE1) - Local_wGRdnhmmy.exe (PID: 7132 cmdline:
"C:\Users\ user\AppDa ta\Local_w GRdnhmmy.e xe" MD5: AA67D8767569DA14EB97BFFBD68B4891) - schtasks.exe (PID: 7352 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " Local_wGRd nhmmy" /tr "C:\Users \user\AppD ata\Roamin g\Local_wG Rdnhmmy.ex e" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - CustomRP.exe (PID: 7352 cmdline:
"C:\Users\ user\AppDa ta\Roaming \CustomRP\ CustomRP.e xe" MD5: F5272C58C58CBD9B5C1E5983D02E50DB) - LocalwCRkvqzBqW.exe (PID: 7128 cmdline:
"C:\Users\ user\AppDa ta\LocalwC RkvqzBqW.e xe" MD5: 6C0447DFFA3BF642FBFB2ED8852E0B6A) - LocalwCRkvqzBqW.tmp (PID: 3452 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\is-G PIMV.tmp\L ocalwCRkvq zBqW.tmp" /SL5="$204 08,5483573 ,1081856,C :\Users\us er\AppData \LocalwCRk vqzBqW.exe " MD5: 20A49D1D5D967B96F0A856E5F4726626) - CustomRP.exe (PID: 8140 cmdline:
"C:\Users\ user\AppDa ta\Roaming \CustomRP\ CustomRP.e xe" MD5: F5272C58C58CBD9B5C1E5983D02E50DB) - explorer.exe (PID: 3088 cmdline:
"C:\Window s\System32 \explorer. exe" https ://docs.cu stomrp.xyz /setting-u p MD5: DD6597597673F72E10C9DE7901FBA0A8) - CustomRP.1.17.26.exe (PID: 4816 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Custom RP.1.17.26 .exe" MD5: B67CCE9E674AA1E40173FE8A1FA6F368) - CustomRP.1.17.26.tmp (PID: 6300 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\is-8 HC4K.tmp\C ustomRP.1. 17.26.tmp" /SL5="$40 4B2,549830 3,1081856, C:\Users\u ser\AppDat a\Local\Te mp\CustomR P.1.17.26. exe" MD5: F7F67DCD5304161073506073C7AA1A43) - CustomRP.exe (PID: 6488 cmdline:
"C:\Users\ user\AppDa ta\Roaming \CustomRP\ CustomRP.e xe" MD5: 43E80724F03F1456E10E74FBAEC1F280)
- Local_wGRdnhmmy.exe (PID: 7624 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Local_wGR dnhmmy.exe " MD5: AA67D8767569DA14EB97BFFBD68B4891)
- Local_wGRdnhmmy.exe (PID: 7692 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Local_wGRd nhmmy.exe MD5: AA67D8767569DA14EB97BFFBD68B4891)
- Local_wGRdnhmmy.exe (PID: 7784 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Local_wGR dnhmmy.exe " MD5: AA67D8767569DA14EB97BFFBD68B4891)
- explorer.exe (PID: 3672 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: 662F4F92FDE3557E86D110526BB578D5) - chrome.exe (PID: 1268 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// docs.custo mrp.xyz/se tting-up MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 3988 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2216 --fi eld-trial- handle=193 6,i,155228 0999963173 3676,11133 6174902852 14044,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- Local_wGRdnhmmy.exe (PID: 4412 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Local_wGRd nhmmy.exe MD5: AA67D8767569DA14EB97BFFBD68B4891)
- Local_wGRdnhmmy.exe (PID: 7716 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Local_wGRd nhmmy.exe MD5: AA67D8767569DA14EB97BFFBD68B4891)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["h2cker.ddns.net"], "Port": "0194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
{"Host": "server.exe", "Port": "h2cker.ddns.net", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "UserProfile", "Install Dir": "xdefg"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 14 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 23 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 55 entries |
System Summary |
---|
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali: |
⊘No Snort rule has matched
Timestamp: | 2024-07-25T19:45:45.232027+0200 |
SID: | 2011803 |
Source Port: | 443 |
Destination Port: | 49789 |
Protocol: | TCP |
Classtype: | Executable code was detected |
Timestamp: | 2024-07-25T19:45:41.091381+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49735 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T19:45:01.781601+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49701 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Window detected: |