Windows Analysis Report
1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe

Overview

General Information

Sample name:	1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe
Analysis ID:	1534535
MD5:	ac189390185909cd4138ef73a54e008f
SHA1:	2a01ed827c6521900c933d3a0ee47f7e5eff1a2b
SHA256:	ca1b3be0a86b0a15e7f875c23e541f692cbe58c2d455e685c09f0fcb5bd9a965
Tags:	base64-decodedexeuser-abuse_ch
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Mofksys, Njrat

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Mofksys

Yara detected Njrat

Sample file is different than original file name gathered from version info

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mofksys		No Attribution	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/	https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Yara detected Njrat

Source: Yara match

File source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe, type: SAMPLE

Spreading

Yara detected Mofksys

Source: Yara match

File source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe, type: SAMPLE

E-Banking Fraud

Yara detected Njrat

Source: Yara match

File source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe, type: SAMPLE

Sample file is different than original file name gathered from version info

Source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe	Binary or memory string: OriginalFilenameTJprojMain.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"? vs 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe
Source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe	Binary or memory string: OriginalFilenameClient1.exe4 vs 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe

Source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe

Binary or memory string: A*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp

Source: classification engine

Classification label: mal56.spre.troj.winEXE@0/0@0/0

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match

File source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected Njrat

Source: Yara match

File source: 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe, type: SAMPLE

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1534535
Product:	CloudBasic
Start time:	00:24:38
Start date:	16.10.2024
Sample:	1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ac189390185909cd4138ef73a54e008f
SHA1:	2a01ed827c6521900c933d3a0ee47f7e5eff1a2b
SHA256:	ca1b3be0a86b0a15e7f875c23e541f692cbe58c2d455e685c09f0fcb5bd9a965
Filetype:	Generic Win/DOS Executable (2004/3) 49.94%

Windows Analysis Report 1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
1729029846d0d0587a6310dfe2e29127dec87eb85e9961141f11ae0c68cc7d81b5df02f2df239.dat-decoded.exe

Malware Threat Intel
Provided by