Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe
Overview
General Information
Detection
Njrat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Disables zone checking for all users
Drops PE files to the startup folder
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Excessive usage of taskkill to terminate processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe (PID: 1308 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.RATX -gen.28952 .31676.exe " MD5: 317B3672B23E381F9A37D7D6EC884BB0) - powershell.exe (PID: 6148 cmdline:
"powershel l.exe" Add -MpPrefere nce -Exclu sionProces s "Securit eInfo.com. Win64.RATX -gen.28952 .31676.exe ";Add-MpPr eference - ExclusionP rocess "sv chost.exe" ;Add-MpPre ference -E xclusionPr ocess "Win dows.exe"; Add-MpPref erence -Ex clusionPat h "Windows .exe";Add- MpPreferen ce -Exclus ionPath "s vchost.exe ";Add-MpPr eference - ExclusionP rocess ".e xe";Add-Mp Preference -Exclusio nProcess " exe";Add-M pPreferenc e -Exclusi onPath 'C: \';Add-MpP reference -Exclusion Path '%App Data%\Micr osoft\Wind ows';Add-M pPreferenc e -Exclusi onPath 'C: \Users\use r\AppData\ Local\Temp ';Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws';Add-Mp Preference -Exclusio nPath 'C:\ Users\user \AppData\R oaming\Mic rosoft\Win dows\Start Menu\Prog rams\Start up';Add-Mp Preference -Exclusio nPath 'C:\ Users\user \AppData\R oaming\Mic rosoft\Win dows\Windo ws.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 2952 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - Windows.exe (PID: 6768 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\W indows.exe " MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 5260 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 5352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5080 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 5344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - svchost.exe (PID: 2300 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\svchos t.exe" MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 1272 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 1292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3652 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 5080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6208 cmdline:
schtasks / delete /tn "ChromeUp date" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 1308 cmdline:
schtasks / create /sc minute /m o 1 /tn "C hromeUpdat e" /tr C:\ Users\user \AppData\L ocal\Temp\ svchost.ex e MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 3920 cmdline:
"C:\Window s\System32 \cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Windows .exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 6092 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 7064 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\svchost .exe MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 2072 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 5020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5580 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 3292 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\svchos t.exe" .. MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 5592 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5572 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 5428 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7148 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\svchos t.exe" .. MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 2164 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3636 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 5020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 2220 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\svchos t.exe" .. MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 6000 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5068 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 3552 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\svchost .exe MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 5228 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 7064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2924 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 5464 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\svc host.exe" MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 6532 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2820 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 1352 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\svc host.exe" MD5: DAACCC9D9770CCAA2F1DEBE2FE91C08B) - taskkill.exe (PID: 5764 cmdline:
TASKKILL / F /IM wscr ipt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 1632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6620 cmdline:
TASKKILL / F /IM cmd. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
{"Host": "svchost.exe", "Port": "1118", "Campaign ID": "Victim", "Version": "Platinum", "Network Seprator": "|Ghost|"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
| |
Click to see the 19 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
| |
Click to see the 25 entries |
System Summary |
---|
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: |
Source: | Author: Florian Roth (Nextron Systems): |