Windows Analysis Report
1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

Overview

General Information

Sample name:	1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe
Analysis ID:	1534529
MD5:	ad7c5d172b6fe743db4585f420a4265c
SHA1:	14abd6a4ba706dab1c35e9c9d8c0c1ec374b213e
SHA256:	286e54c84b3c8b6bc6c202c9719365c31156c062e90cc1452ef1206f8710e3f9
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Mofksys, Njrat

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mofksys

Yara detected Njrat

May infect USB drives

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mofksys		No Attribution	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/	https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Yara detected Njrat

Source: Yara match

File source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE

Spreading

Yara detected Mofksys

Source: Yara match

File source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE

May infect USB drives

Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe	Binary or memory string: autorun.inf
Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe	Binary or memory string: [autorun]

Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

E-Banking Fraud

Yara detected Njrat

Source: Yara match

File source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE

System Summary

Malicious sample detected (through community Yara rule)

Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

Binary or memory string: OriginalFilenameTJprojMain.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"? vs 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

Yara signature match

Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

Binary or memory string: A*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp

Source: classification engine

Classification label: mal64.spre.troj.winEXE@0/0@0/0

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match

File source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected Njrat

Source: Yara match

File source: 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1534529
Product:	CloudBasic
Start time:	00:12:39
Start date:	16.10.2024
Sample:	1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ad7c5d172b6fe743db4585f420a4265c
SHA1:	14abd6a4ba706dab1c35e9c9d8c0c1ec374b213e
SHA256:	286e54c84b3c8b6bc6c202c9719365c31156c062e90cc1452ef1206f8710e3f9
Filetype:	Generic Win/DOS Executable (2004/3) 49.94%

Windows Analysis Report 1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

Networking

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
1729029847909bd6babf7b44250bc69e37cfeb1b1668fcd569b58c775e8e5ded95c7ac3d14184.dat-decoded.exe

Malware Threat Intel
Provided by