Windows Analysis Report
Client.exe

Overview

General Information

Sample name:	Client.exe
Analysis ID:	1646221
MD5:	2a357b0ef639d2d4fbe0ffe0253bb81f
SHA1:	1a6c0a02eb660712956e0c7aeb040055a4ad1c4b
SHA256:	afd119ef00e6c4874e06532156235e0b99cc3039d4e03b96f5574e171054037a
Tags:	exeuser-BastianHein
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.2.Client.exe.30f8604.0.raw.unpack

Malware Configuration Extractor: Njrat {"Host": "Client.exe", "Port": "7940", "Campaign ID": "HacKed", "Version": "Platinum", "Network Seprator": "|Ghost|"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: Client.exe	ReversingLabs: Detection: 86%
Source: Client.exe	Virustotal: Detection: 75%			Perma Link

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49681 -> 147.185.221.27:7940

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.27 147.185.221.27

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: anyone-center.gl.at.ply.gg

Source: Client.exe, 00000000.00000002.1024033892.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/EngADTbC
Source: Client.exe, Client.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachine

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe, Form1.cs	.Net Code: SetHook
Source: Client.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: Client.exe.0.dr, Form1.cs	.Net Code: SetHook
Source: Client.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Client.exe.30f8604.0.raw.unpack, Form1.cs	.Net Code: SetHook
Source: 0.2.Client.exe.30f8604.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Client.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: Client.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Client.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: Client.exe, type: SAMPLE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_0305292A		0_2_0305292A
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 1_2_02DE8BD0		1_2_02DE8BD0

Sample file is different than original file name gathered from version info

Source: Client.exe, 00000000.00000002.1023322988.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Client.exe
Source: Client.exe, 00000001.00000002.3428576235.0000000000F38000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Client.exe
Source: Client.exe, 00000001.00000002.3428910326.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Client.exe

Uses 32bit PE files

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Client.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Client.exe, type: SAMPLE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Client.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: Client.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Client.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Client.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: Client.exe, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Client.exe, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Client.exe

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Source: Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client.exe	ReversingLabs: Detection: 86%
Source: Client.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Desktop\Client.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Client.exe "C:\Users\user\Desktop\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Client.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Client.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.Client.exe.30f8604.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Drops PE files

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Client.exe, Client.exe.0.dr

Binary or memory string: WIRESHARK.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Client.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: threadDelayed 3565	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: threadDelayed 5839	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Client.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7096	Thread sleep count: 3565 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep count: 5839 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep time: -5839000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&/
Source: Client.exe, 00000000.00000002.1023322988.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y}
Source: Client.exe, 00000000.00000002.1023322988.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Client.exe.0.dr	Binary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Client.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Client.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Client.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Client.exe

Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"

Jump to behavior

Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager&
Source: Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.000000000328C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Client.exe, Client.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: Client.exe, Client.exe.0.dr	Binary or memory string: Progman!ChamaFrmTerrorrr
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.000000000328C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZ

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Users\user\Desktop\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Client.exe, 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, Client.exe, 00000000.00000002.1024033892.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe.0.dr

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.27	anyone-center.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

Contacted Domains

Name	IP	Active
anyone-center.gl.at.ply.gg	147.185.221.27	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.2.Client.exe.30f8604.0.raw.unpack

Malware Configuration Extractor: Njrat {"Host": "Client.exe", "Port": "7940", "Campaign ID": "HacKed", "Version": "Platinum", "Network Seprator": "|Ghost|"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: Client.exe	ReversingLabs: Detection: 86%
Source: Client.exe	Virustotal: Detection: 75%			Perma Link

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49681 -> 147.185.221.27:7940

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.27 147.185.221.27

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: anyone-center.gl.at.ply.gg

Source: Client.exe, 00000000.00000002.1024033892.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/EngADTbC
Source: Client.exe, Client.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachine

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe, Form1.cs	.Net Code: SetHook
Source: Client.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: Client.exe.0.dr, Form1.cs	.Net Code: SetHook
Source: Client.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Client.exe.30f8604.0.raw.unpack, Form1.cs	.Net Code: SetHook
Source: 0.2.Client.exe.30f8604.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Client.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: Client.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Client.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: Client.exe, type: SAMPLE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_0305292A		0_2_0305292A
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 1_2_02DE8BD0		1_2_02DE8BD0

Sample file is different than original file name gathered from version info

Source: Client.exe, 00000000.00000002.1023322988.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Client.exe
Source: Client.exe, 00000001.00000002.3428576235.0000000000F38000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Client.exe
Source: Client.exe, 00000001.00000002.3428910326.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Client.exe

Uses 32bit PE files

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Client.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Client.exe, type: SAMPLE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Client.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: Client.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Client.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Client.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: Client.exe, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Client.exe, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Client.exe

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Source: Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client.exe	ReversingLabs: Detection: 86%
Source: Client.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Desktop\Client.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Client.exe "C:\Users\user\Desktop\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Client.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Client.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.Client.exe.30f8604.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Drops PE files

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Client.exe, Client.exe.0.dr

Binary or memory string: WIRESHARK.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Client.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: threadDelayed 3565	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: threadDelayed 5839	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Client.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7096	Thread sleep count: 3565 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep count: 5839 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep time: -5839000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&/
Source: Client.exe, 00000000.00000002.1023322988.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y}
Source: Client.exe, 00000000.00000002.1023322988.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Client.exe.0.dr	Binary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Client.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Client.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Client.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Client.exe

Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"

Jump to behavior

Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager&
Source: Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.000000000328C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Client.exe, Client.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: Client.exe, Client.exe.0.dr	Binary or memory string: Progman!ChamaFrmTerrorrr
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.000000000328C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZ

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Users\user\Desktop\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

ID:	1646221
Product:	CloudBasic
Start time:	17:13:25
Start date:	23.03.2025
Sample:	Client.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2a357b0ef639d2d4fbe0ffe0253bb81f
SHA1:	1a6c0a02eb660712956e0c7aeb040055a4ad1c4b
SHA256:	afd119ef00e6c4874e06532156235e0b99cc3039d4e03b96f5574e171054037a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log	ASCII text, with CRLF line terminators	772DEDF110E6B8108DC618DC8FCCC04F	3B6AE6F5F21A4B3734618AFFF3AD8BA2F96C6DBE	DD1B1A28C3F281DEB153B08B3E3883BFED888A9014DF431CB21C01A969C5966E
C:\Users\user\AppData\Local\Temp\Client.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2A357B0EF639D2D4FBE0FFE0253BB81F	1A6C0A02EB660712956E0C7AEB040055A4AD1C4B	AFD119EF00E6C4874E06532156235E0B99CC3039D4E03B96F5574E171054037A

Windows Analysis Report
Client.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report Client.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
Client.exe

Malware Threat Intel
Provided by