Edit tour

Windows Analysis Report
Client.exe

Overview

General Information

Sample name:	Client.exe
Analysis ID:	1646221
MD5:	2a357b0ef639d2d4fbe0ffe0253bb81f
SHA1:	1a6c0a02eb660712956e0c7aeb040055a4ad1c4b
SHA256:	afd119ef00e6c4874e06532156235e0b99cc3039d4e03b96f5574e171054037a
Tags:	exeuser-BastianHein
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Client.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\Client.exe" MD5: 2A357B0EF639D2D4FBE0FFE0253BB81F)

Client.exe (PID: 7080 cmdline: "C:\Users\user\AppData\Local\Temp\Client.exe" MD5: 2A357B0EF639D2D4FBE0FFE0253BB81F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{
  "Host": "Client.exe",
  "Port": "7940",
  "Campaign ID": "HacKed",
  "Version": "Platinum",
  "Network Seprator": "|Ghost|"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Client.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Client.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xab59:$a1: get_Registry 0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xd970:$a3: Download ERROR 0xdcf4:$a4: cmd.exe /c ping 0 -n 2 & del "
Client.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xdcf4:$x1: cmd.exe /c ping 0 -n 2 & del " 0xcfe0:$s1: winmgmts:\\.\root\SecurityCenter2 0xd992:$s3: Executed As 0xd970:$s6: Download ERROR 0xd5ee:$s7: shutdown -r -t 00 0xcfa2:$s8: Select * From AntiVirusProduct
Client.exe	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xe351:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xcc58:$s2: https://pastebin.com/raw/ 0xe85b:$s3: My.Computer 0xe32b:$s4: MyTemplate
Client.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xdd0a:$: ping 0 0xc90e:$: TiGeR-Firewall 0xc950:$: NetSnifferCs 0xc8fa:$: IPBlocker 0xc96a:$: Sandboxie Control
Client.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xdd7c:$b1: [TAP] 0xdcf4:$c3: cmd.exe /c ping
Client.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xdba2:$reg: SEE_MASK_NOZONECHECKS 0xd94c:$msg: Execute ERROR 0xd9ac:$msg: Execute ERROR 0xdcf4:$ping: cmd.exe /c ping 0 -n 2 & del
Client.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0xd446:$s1: \Classes\mscfile\shell\open\command 0xd48e:$s2: eventvwr.exe
Client.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xdcf4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xd94c:$s4: Execute ERROR 0xd9ac:$s4: Execute ERROR 0xd970:$s5: Download ERROR 0xdd32:$s6: [kl]
Click to see the 4 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Client.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\Client.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xab59:$a1: get_Registry 0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xd970:$a3: Download ERROR 0xdcf4:$a4: cmd.exe /c ping 0 -n 2 & del "
C:\Users\user\AppData\Local\Temp\Client.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xdcf4:$x1: cmd.exe /c ping 0 -n 2 & del " 0xcfe0:$s1: winmgmts:\\.\root\SecurityCenter2 0xd992:$s3: Executed As 0xd970:$s6: Download ERROR 0xd5ee:$s7: shutdown -r -t 00 0xcfa2:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Local\Temp\Client.exe	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xe351:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xcc58:$s2: https://pastebin.com/raw/ 0xe85b:$s3: My.Computer 0xe32b:$s4: MyTemplate
C:\Users\user\AppData\Local\Temp\Client.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xdd0a:$: ping 0 0xc90e:$: TiGeR-Firewall 0xc950:$: NetSnifferCs 0xc8fa:$: IPBlocker 0xc96a:$: Sandboxie Control
C:\Users\user\AppData\Local\Temp\Client.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xdd7c:$b1: [TAP] 0xdcf4:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\Client.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xdba2:$reg: SEE_MASK_NOZONECHECKS 0xd94c:$msg: Execute ERROR 0xd9ac:$msg: Execute ERROR 0xdcf4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\Client.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0xd446:$s1: \Classes\mscfile\shell\open\command 0xd48e:$s2: eventvwr.exe
C:\Users\user\AppData\Local\Temp\Client.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xdcf4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xd94c:$s4: Execute ERROR 0xd9ac:$s4: Execute ERROR 0xd970:$s5: Download ERROR 0xdd32:$s6: [kl]
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa959:$a1: get_Registry 0xd9a2:$a2: SEE_MASK_NOZONECHECKS 0xd770:$a3: Download ERROR 0xdaf4:$a4: cmd.exe /c ping 0 -n 2 & del "
00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xd9a2:$a2: SEE_MASK_NOZONECHECKS 0xdb7c:$b1: [TAP] 0xdaf4:$c3: cmd.exe /c ping
00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xd9a2:$reg: SEE_MASK_NOZONECHECKS 0xd74c:$msg: Execute ERROR 0xd7ac:$msg: Execute ERROR 0xdaf4:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xe15d:$a1: get_Registry 0x23b0:$a2: SEE_MASK_NOZONECHECKS 0x111a6:$a2: SEE_MASK_NOZONECHECKS 0x10f74:$a3: Download ERROR 0x112f8:$a4: cmd.exe /c ping 0 -n 2 & del "
00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x23b0:$a2: SEE_MASK_NOZONECHECKS 0x111a6:$a2: SEE_MASK_NOZONECHECKS 0x11380:$b1: [TAP] 0x112f8:$c3: cmd.exe /c ping
00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x23b0:$reg: SEE_MASK_NOZONECHECKS 0x111a6:$reg: SEE_MASK_NOZONECHECKS 0x10f50:$msg: Execute ERROR 0x10fb0:$msg: Execute ERROR 0x112f8:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: Client.exe PID: 6792	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Client.exe.e00000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.Client.exe.e00000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xab59:$a1: get_Registry 0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xd970:$a3: Download ERROR 0xdcf4:$a4: cmd.exe /c ping 0 -n 2 & del "
0.0.Client.exe.e00000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xdcf4:$x1: cmd.exe /c ping 0 -n 2 & del " 0xcfe0:$s1: winmgmts:\\.\root\SecurityCenter2 0xd992:$s3: Executed As 0xd970:$s6: Download ERROR 0xd5ee:$s7: shutdown -r -t 00 0xcfa2:$s8: Select * From AntiVirusProduct
0.0.Client.exe.e00000.0.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xe351:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xcc58:$s2: https://pastebin.com/raw/ 0xe85b:$s3: My.Computer 0xe32b:$s4: MyTemplate
0.0.Client.exe.e00000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xdd0a:$: ping 0 0xc90e:$: TiGeR-Firewall 0xc950:$: NetSnifferCs 0xc8fa:$: IPBlocker 0xc96a:$: Sandboxie Control
0.0.Client.exe.e00000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xdd7c:$b1: [TAP] 0xdcf4:$c3: cmd.exe /c ping
0.0.Client.exe.e00000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xdba2:$reg: SEE_MASK_NOZONECHECKS 0xd94c:$msg: Execute ERROR 0xd9ac:$msg: Execute ERROR 0xdcf4:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.Client.exe.e00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0xd446:$s1: \Classes\mscfile\shell\open\command 0xd48e:$s2: eventvwr.exe
0.0.Client.exe.e00000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xdcf4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xd94c:$s4: Execute ERROR 0xd9ac:$s4: Execute ERROR 0xd970:$s5: Download ERROR 0xdd32:$s6: [kl]
0.2.Client.exe.30f8604.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.Client.exe.30f8604.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.Client.exe.30f8604.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x8d59:$a1: get_Registry 0xbda2:$a2: SEE_MASK_NOZONECHECKS 0xbb70:$a3: Download ERROR 0xbef4:$a4: cmd.exe /c ping 0 -n 2 & del "
0.2.Client.exe.30f8604.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xab59:$a1: get_Registry 0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xd970:$a3: Download ERROR 0xdcf4:$a4: cmd.exe /c ping 0 -n 2 & del "
0.2.Client.exe.30f8604.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xbef4:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb1e0:$s1: winmgmts:\\.\root\SecurityCenter2 0xbb92:$s3: Executed As 0xbb70:$s6: Download ERROR 0xb7ee:$s7: shutdown -r -t 00 0xb1a2:$s8: Select * From AntiVirusProduct
0.2.Client.exe.30f8604.0.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xc551:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xae58:$s2: https://pastebin.com/raw/ 0xca5b:$s3: My.Computer 0xc52b:$s4: MyTemplate
0.2.Client.exe.30f8604.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xbf0a:$: ping 0 0xab0e:$: TiGeR-Firewall 0xab50:$: NetSnifferCs 0xaafa:$: IPBlocker 0xab6a:$: Sandboxie Control
0.2.Client.exe.30f8604.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xbda2:$a2: SEE_MASK_NOZONECHECKS 0xbf7c:$b1: [TAP] 0xbef4:$c3: cmd.exe /c ping
0.2.Client.exe.30f8604.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xbda2:$reg: SEE_MASK_NOZONECHECKS 0xbb4c:$msg: Execute ERROR 0xbbac:$msg: Execute ERROR 0xbef4:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.Client.exe.30f8604.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0xb646:$s1: \Classes\mscfile\shell\open\command 0xb68e:$s2: eventvwr.exe
0.2.Client.exe.30f8604.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xbef4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xbb4c:$s4: Execute ERROR 0xbbac:$s4: Execute ERROR 0xbb70:$s5: Download ERROR 0xbf32:$s6: [kl]
0.2.Client.exe.30f8604.0.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xdcf4:$x1: cmd.exe /c ping 0 -n 2 & del " 0xcfe0:$s1: winmgmts:\\.\root\SecurityCenter2 0xd992:$s3: Executed As 0xd970:$s6: Download ERROR 0xd5ee:$s7: shutdown -r -t 00 0xcfa2:$s8: Select * From AntiVirusProduct
0.2.Client.exe.30f8604.0.raw.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xe351:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xcc58:$s2: https://pastebin.com/raw/ 0xe85b:$s3: My.Computer 0xe32b:$s4: MyTemplate
0.2.Client.exe.30f8604.0.raw.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xdd0a:$: ping 0 0xc90e:$: TiGeR-Firewall 0xc950:$: NetSnifferCs 0xc8fa:$: IPBlocker 0xc96a:$: Sandboxie Control
0.2.Client.exe.30f8604.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xdba2:$a2: SEE_MASK_NOZONECHECKS 0xdd7c:$b1: [TAP] 0xdcf4:$c3: cmd.exe /c ping
0.2.Client.exe.30f8604.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xdba2:$reg: SEE_MASK_NOZONECHECKS 0xd94c:$msg: Execute ERROR 0xd9ac:$msg: Execute ERROR 0xdcf4:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.Client.exe.30f8604.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0xd446:$s1: \Classes\mscfile\shell\open\command 0xd48e:$s2: eventvwr.exe
0.2.Client.exe.30f8604.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xdcf4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xd94c:$s4: Execute ERROR 0xd9ac:$s4: Execute ERROR 0xd970:$s5: Download ERROR 0xdd32:$s6: [kl]
Click to see the 22 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.2.Client.exe.30f8604.0.raw.unpack

Malware Configuration Extractor: Njrat {"Host": "Client.exe", "Port": "7940", "Campaign ID": "HacKed", "Version": "Platinum", "Network Seprator": "|Ghost|"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: Client.exe	ReversingLabs: Detection: 86%
Source: Client.exe	Virustotal: Detection: 75%			Perma Link

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.7:49681 -> 147.185.221.27:7940

Source: Joe Sandbox View

IP Address: 147.185.221.27 147.185.221.27

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: anyone-center.gl.at.ply.gg

Source: Client.exe, 00000000.00000002.1024033892.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/EngADTbC
Source: Client.exe, Client.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachine

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe, Form1.cs	.Net Code: SetHook
Source: Client.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: Client.exe.0.dr, Form1.cs	.Net Code: SetHook
Source: Client.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Client.exe.30f8604.0.raw.unpack, Form1.cs	.Net Code: SetHook
Source: 0.2.Client.exe.30f8604.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Client.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: Client.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Client.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: Client.exe, type: SAMPLE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_0305292A		0_2_0305292A
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 1_2_02DE8BD0		1_2_02DE8BD0

Source: Client.exe, 00000000.00000002.1023322988.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Client.exe
Source: Client.exe, 00000001.00000002.3428576235.0000000000F38000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Client.exe
Source: Client.exe, 00000001.00000002.3428910326.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Client.exe

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Client.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Client.exe, type: SAMPLE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Client.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: Client.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Client.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Client.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: Client.exe, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Client.exe, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Client.exe.0.dr, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Client.exe.30f8604.0.raw.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Client.exe

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Source: Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client.exe	ReversingLabs: Detection: 86%
Source: Client.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Desktop\Client.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Client.exe "C:\Users\user\Desktop\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Client.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Client.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.Client.exe.30f8604.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Client.exe, Client.exe.0.dr

Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: threadDelayed 3565	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: threadDelayed 5839	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7096	Thread sleep count: 3565 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep count: 5839 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 7088	Thread sleep time: -5839000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&/
Source: Client.exe, 00000000.00000002.1023322988.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y}
Source: Client.exe, 00000000.00000002.1023322988.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Client.exe.0.dr	Binary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Client.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Client.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Client.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\Client.exe

Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"

Jump to behavior

Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager&
Source: Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.000000000328C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Client.exe, Client.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: Client.exe, Client.exe.0.dr	Binary or memory string: Progman!ChamaFrmTerrorrr
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.000000000328C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\
Source: Client.exe, 00000001.00000002.3428910326.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZ

Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Users\user\Desktop\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Source: Client.exe, 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, Client.exe, 00000000.00000002.1024033892.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Client.exe.0.dr

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Client.exe.30f8604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Masquerading	1 Input Capture	211 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Client.exe	86%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
Client.exe	75%	Virustotal		Browse
Client.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Client.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Client.exe	86%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT

Name	IP	Active	Malicious	Antivirus Detection	Reputation
anyone-center.gl.at.ply.gg	147.185.221.27	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachine	Client.exe, Client.exe.0.dr	false		high
https://pastebin.com/raw/EngADTbC	Client.exe, 00000000.00000002.1024033892.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000001.00000002.3430108300.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.27	anyone-center.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646221
Start date and time:	2025-03-23 17:13:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Client.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 27 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 23.204.23.20, 2.23.227.208
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Client.exe, PID 6792 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:15:16	API Interceptor	1056488x Sleep call for process: Client.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.27	rbx hack 2.6.exe	Get hash	malicious	Njrat	Browse
	Payload.exe	Get hash	malicious	Njrat	Browse
	pisun.exe	Get hash	malicious	Njrat	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Server.exe.bin.exe	Get hash	malicious	Njrat	Browse
	RobloxInstaller.exe	Get hash	malicious	Unknown	Browse
	tsetup-x64.5.9.0.exe	Get hash	malicious	RDPWrap Tool	Browse
	123123.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload1234.exe.bin.exe	Get hash	malicious	Njrat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	Luna.exe	Get hash	malicious	XWorm	Browse	147.185.221.26
	rbx hack 2.6.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	Payload.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	pisun.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.27
	winupdate.scr.exe	Get hash	malicious	Unknown	Browse	147.185.221.26
	Bootstrapper.exe	Get hash	malicious	XWorm	Browse	147.185.221.26
	Microsoft Word Host.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	Client.exe.bin.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	Server.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27

Process:	C:\Users\user\Desktop\Client.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.356499146491567
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPTArkvoDLI4MWuCv:MLU84qpE4KiE4Ks
MD5:	772DEDF110E6B8108DC618DC8FCCC04F
SHA1:	3B6AE6F5F21A4B3734618AFFF3AD8BA2F96C6DBE
SHA-256:	DD1B1A28C3F281DEB153B08B3E3883BFED888A9014DF431CB21C01A969C5966E
SHA-512:	D91190CBA989344BADDA0DECB859F1C89CDE4E25F25DB0AF7B1E471E11A67ADB632F19B260419437CA0E8D11038D349B574E758FA2414FC447479EE385301252
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\Client.exe

Download File

Process:	C:\Users\user\Desktop\Client.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	5.787469461976195
Encrypted:	false
SSDEEP:	1536:i3DI27pnw9eiVGlTOvwo0ia9P3A6mF9bv:iTI2RJiVnIHn9PXmF9b
MD5:	2A357B0EF639D2D4FBE0FFE0253BB81F
SHA1:	1A6C0A02EB660712956E0C7AEB040055A4AD1C4B
SHA-256:	AFD119EF00E6C4874E06532156235E0B99CC3039D4E03B96F5574E171054037A
SHA-512:	39709330665AF0C675EE9EB5CF85D0481C20B010B46659DB81C185FBB241E0976A1DEA85D378838F7619D53B23302EB41D3A78E3CACEBDF32EB7F3AFF7C2EC40
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Florian Roth Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Sekoia.io Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. .......................`............@.....................................K.... ..@....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........................................................................1..........$\|..........<.t........I am virus! Fuck You :-)............................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.787469461976195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Client.exe
File size:	62'464 bytes
MD5:	2a357b0ef639d2d4fbe0ffe0253bb81f
SHA1:	1a6c0a02eb660712956e0c7aeb040055a4ad1c4b
SHA256:	afd119ef00e6c4874e06532156235e0b99cc3039d4e03b96f5574e171054037a
SHA512:	39709330665af0c675ee9eb5cf85d0481c20b010b46659db81c185fbb241e0976a1dea85d378838f7619d53b23302eb41d3a78e3cacebdf32eb7f3aff7c2ec40
SSDEEP:	1536:i3DI27pnw9eiVGlTOvwo0ia9P3A6mF9bv:iTI2RJiVnIHn9PXmF9b
TLSH:	CF535B44BF924631D5AE0B7894B777129775E9036813EB2F48C160EF2B233D90E46BE6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x410afe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67DF0B14 [Sat Mar 22 19:10:12 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10ab0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeb04	0xec00	2068de90f40bc6ca924f016da1dc5fda	False	0.4711003707627119	data	5.81278752955367	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x240	0x400	08e614b8f1d20a50b5b3684e856ff5f3	False	0.3115234375	data	4.965539353996097	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	0c5c85d032309e1f8c83857a184ceb02	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x12058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 54
• 7940 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 17:14:47.570882082 CET	49681	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:14:48.582540989 CET	49681	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:14:50.585964918 CET	49681	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:14:54.598150969 CET	49681	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:02.613766909 CET	49681	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:10.677937984 CET	49692	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:11.692003965 CET	49692	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:13.707565069 CET	49692	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:17.707560062 CET	49692	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:25.707562923 CET	49692	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:33.724692106 CET	49694	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:34.738871098 CET	49694	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:36.754475117 CET	49694	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:40.770104885 CET	49694	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:48.786804914 CET	49694	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:56.818742990 CET	49695	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:57.957670927 CET	49695	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:15:59.957657099 CET	49695	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:04.066983938 CET	49695	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:12.067014933 CET	49695	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:20.101102114 CET	49696	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:21.113888979 CET	49696	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:23.113984108 CET	49696	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:27.129786015 CET	49696	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:35.145126104 CET	49696	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:43.178008080 CET	49697	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:44.192053080 CET	49697	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:46.285820007 CET	49697	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:50.289716959 CET	49697	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:16:58.488917112 CET	49697	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:06.524219036 CET	49698	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:07.645183086 CET	49698	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:09.645210028 CET	49698	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:13.645209074 CET	49698	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:21.754626036 CET	49698	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:29.771372080 CET	49699	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:30.785866976 CET	49699	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:32.785851955 CET	49699	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:36.785829067 CET	49699	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:44.863986969 CET	49699	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:52.881131887 CET	49700	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:53.895231009 CET	49700	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:55.895215034 CET	49700	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:17:59.895270109 CET	49700	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:07.910877943 CET	49700	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:16.037818909 CET	49702	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:17.067123890 CET	49702	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:19.067209959 CET	49702	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:23.082809925 CET	49702	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:31.098380089 CET	49702	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:39.115339994 CET	49703	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:40.239201069 CET	49703	7940	192.168.2.7	147.185.221.27
Mar 23, 2025 17:18:42.254642010 CET	49703	7940	192.168.2.7	147.185.221.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 17:14:47.363095045 CET	53356	53	192.168.2.7	1.1.1.1
Mar 23, 2025 17:14:47.544167995 CET	53	53356	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 23, 2025 17:14:47.363095045 CET	192.168.2.7	1.1.1.1	0xb34c	Standard query (0)	anyone-center.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 23, 2025 17:14:47.544167995 CET	1.1.1.1	192.168.2.7	0xb34c	No error (0)	anyone-center.gl.at.ply.gg		147.185.221.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• Client.exe
• Client.exe

Click to jump to process

Memory Usage

• Client.exe
• Client.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	12:14:31
Start date:	23/03/2025
Path:	C:\Users\user\Desktop\Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Client.exe"
Imagebase:	0xe00000
File size:	62'464 bytes
MD5 hash:	2A357B0EF639D2D4FBE0FFE0253BB81F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.957853809.0000000000E02000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1024033892.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:14:37
Start date:	23/03/2025
Path:	C:\Users\user\AppData\Local\Temp\Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Client.exe"
Imagebase:	0xb90000
File size:	62'464 bytes
MD5 hash:	2A357B0EF639D2D4FBE0FFE0253BB81F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Florian Roth Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Sekoia.io Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 86%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Function 0305292A Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab37c5af2604a8afbab88f736cd64240e941d3a52d6ff5e9ecd69f46de6bc2a
Instruction ID: 7eec990616ade4fc82c435df958a7f321211ec0a8f7b1381d722915664733814
Opcode Fuzzy Hash: 0ab37c5af2604a8afbab88f736cd64240e941d3a52d6ff5e9ecd69f46de6bc2a
Instruction Fuzzy Hash: B612D774A402189FDB14DF64D954B6DBBB2FF88300F1084B9E90A6B794CB79AD81CF51

Function 03051958 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

)p^, xrefs: 03051CDF, 03051CE4

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID: )p^
API String ID: 0-1404677332
Opcode ID: 12c02e49182ab62e21b8f8b4dcba0cb38830d4b1bbfb2874a90d21e0160510a5
Instruction ID: f4a85dc1d626cacbc1a7433ee5fa96bb51acd7a5949ee9450032861d1a094385
Opcode Fuzzy Hash: 12c02e49182ab62e21b8f8b4dcba0cb38830d4b1bbfb2874a90d21e0160510a5
Instruction Fuzzy Hash: 7EF11674A01218CFDB18EF64D854BADBBB2FB85304F1085A9E806AB754DB3A9D81CF11

Function 030519A0 Relevance: 1.6, Strings: 1, Instructions: 359COMMON

Download Yara Rule

Strings

)p^, xrefs: 03051CDF, 03051CE4

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID: )p^
API String ID: 0-1404677332
Opcode ID: cc551e102115280e0d3ceef653775853614097b8255edf8fab6a306bca38039a
Instruction ID: b9f1d4371ac60ae520a8fdbf1b8110813f700c2e0ec7232ae408a5f990631974
Opcode Fuzzy Hash: cc551e102115280e0d3ceef653775853614097b8255edf8fab6a306bca38039a
Instruction Fuzzy Hash: D2F1F774A01208CFDB18EF74D854BADBBB2FB85304F1485A9E80AAB754DB399D81CF11

Function 03051A9E Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

)p^, xrefs: 03051CDF, 03051CE4

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID: )p^
API String ID: 0-1404677332
Opcode ID: be7436535797ff41962d9cafc36456dcac57057df118fb97053e821190dcfe0c
Instruction ID: 2aeb761968865191807b068bc4294f2c8abf0f7da9bfd234e01700f54f065ac6
Opcode Fuzzy Hash: be7436535797ff41962d9cafc36456dcac57057df118fb97053e821190dcfe0c
Instruction Fuzzy Hash: 68E1DB74A01218CFDB18DF64D854AADBBB2FB89315F1085B9E80AAB754DB399D81CF10

Function 0305355C Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe191165bc2974b8766faa9dfbd208773fcd3a5b7126f4e727c25ccc2ba94ec
Instruction ID: 094a35709d719ab4ca3200ed0c2006ae3f02ccf14a780540f4662d36feaefa0d
Opcode Fuzzy Hash: 8fe191165bc2974b8766faa9dfbd208773fcd3a5b7126f4e727c25ccc2ba94ec
Instruction Fuzzy Hash: D9E0D87AA093850BCB0587B485253A9FFB09F56104B0987DAC45ACB582D9754A008257

Function 030528FF Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e0f68076dcb311809cdb32f1a722ec4e37846e8e148d3e5cb3baafec795eb3
Instruction ID: b9b45b2d238c75c1a2cf8a9f2a5952a9456afaf045ef7a746ca5d53a28799118
Opcode Fuzzy Hash: e9e0f68076dcb311809cdb32f1a722ec4e37846e8e148d3e5cb3baafec795eb3
Instruction Fuzzy Hash: 1012C778A402189FDB14DF64D954BADBBB2FF88300F1084B9E9096B794CB79AD81CF51

Function 03053F06 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f958c2013724e2efa0ba618bc5b412e7b3e5f3f21918f7f5ba02d328ecd0a3b3
Instruction ID: af26e8bc028a32506aac7e7f8c9d91f41836c5f660db1102f0904ae938983f0d
Opcode Fuzzy Hash: f958c2013724e2efa0ba618bc5b412e7b3e5f3f21918f7f5ba02d328ecd0a3b3
Instruction Fuzzy Hash: 13E08673D492514BD31292ACE5153A6ABA98B83221F1D007BE849D7A53C86688458396

Function 03050C00 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67af0fbc442f0c8f86adc6f6684e2a995334296c04c768ec503644050e4a6f0d
Instruction ID: 5f3ef14ef74a7cf5ad2cdb9d910f225cfe64456972162a398d2a65d7ba4d9a17
Opcode Fuzzy Hash: 67af0fbc442f0c8f86adc6f6684e2a995334296c04c768ec503644050e4a6f0d
Instruction Fuzzy Hash: 44917BB15003428FC705EF38E885A897B71FB85720B15C1B9E411ABA6ADBB96D49CF42

Function 03050C70 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e053a92ff73e621a446472345da446b1aeb08c2287afd6ebd49e57800e180eb9
Instruction ID: dda0e3d12e0a86d02060c4492ea073941b2dbb3a41c7357e363e3aa73ef572fd
Opcode Fuzzy Hash: e053a92ff73e621a446472345da446b1aeb08c2287afd6ebd49e57800e180eb9
Instruction Fuzzy Hash: D47118B0600246CFCB15FF28F885A597BB1FB84720B11C1B8E411ABA6ADB7D6D45CF42

Function 03052290 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85938a466bf1c708f263d321fc81f089a9d34651a082b486a1ca89e58eec2363
Instruction ID: e6f1d45b5b0448fb3a95dc6f9236f364debb3d3fcac362eb5b40036ab7e7270c
Opcode Fuzzy Hash: 85938a466bf1c708f263d321fc81f089a9d34651a082b486a1ca89e58eec2363
Instruction Fuzzy Hash: C0419571A022159FCB58DB7CC45426EBBEAEF89210B158879E855EB350DB349C418B94

Function 030531D8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4908ed70aee9fec1d50856f437f369e72a970ba600b765217508af5fa538b3f
Instruction ID: c1f57f9d405025ce18b82d03075d02ac70a4c575d702172bc85602ee9c1ca9e4
Opcode Fuzzy Hash: c4908ed70aee9fec1d50856f437f369e72a970ba600b765217508af5fa538b3f
Instruction Fuzzy Hash: FE31E338A052088FDB68DFACD40937FBBE5EB84250F5848A9E805D7294CE349D81C799

Function 0305214D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621831fccd832b8ab7e36c2901ad7736784e747ab0544fc96faf41d2146ce39e
Instruction ID: f9c1530f964cc79fbae0247f919f331be4df25974d390d8f85a82b9852c32856
Opcode Fuzzy Hash: 621831fccd832b8ab7e36c2901ad7736784e747ab0544fc96faf41d2146ce39e
Instruction Fuzzy Hash: 2E21F431A0D3885FDB0A57784C6936F7F7AAFD7210F4984EAD502DB396C9248C09C7A6

Function 03050F80 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6473cbfa80d673a4e30d7f982773b51057558363b76ba8c3d343baaad3ab5889
Instruction ID: 1c762042fc8be51e3a1e08798ddd020182726f7f0cff04f19cc57e9e252b149f
Opcode Fuzzy Hash: 6473cbfa80d673a4e30d7f982773b51057558363b76ba8c3d343baaad3ab5889
Instruction Fuzzy Hash: A721A6326062849BDF18DA66C4947EF77F7AB84350F085435FD01A7284DAF69C828BA0

Function 03053952 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ef068af75a001def7d273b61af2b55e6caf435fd0f2f80f161ded980314ce3
Instruction ID: 43fce13fb0867e2fd83a0a0b0f2b7de896804eb0ed1dfef9b6cb60bbaf7b7d22
Opcode Fuzzy Hash: 93ef068af75a001def7d273b61af2b55e6caf435fd0f2f80f161ded980314ce3
Instruction Fuzzy Hash: 63F0C8367153488FCB159BB4E41A369BFF0EF46211B0C86ABE80AC7281DE758D00C795

Function 03054090 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bc36ed27944ad54dcc43caa252233178076b5d998111632b8b6e04cc158b0a
Instruction ID: 3943816c3a068f07254af508bb6744a6dbe4407ffad12a37d912df9f5e0bc4c4
Opcode Fuzzy Hash: e4bc36ed27944ad54dcc43caa252233178076b5d998111632b8b6e04cc158b0a
Instruction Fuzzy Hash: 1E012B37B053144FC715936EA4145AEBBB9CFC5221B1D40B7F909CB362CD3188418794

Function 030521A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa0e195ad8aabb190a1cd893535427620ed1062d269eb04be690ad0f68e28fd
Instruction ID: 0e1934c376080fc9c448ce5e066a745552d42acde7caedf1c9ce9e314a63d524
Opcode Fuzzy Hash: bfa0e195ad8aabb190a1cd893535427620ed1062d269eb04be690ad0f68e28fd
Instruction Fuzzy Hash: F4F06D35E0511CDBCF18CAAAE8445EEBBBAEF8C321F08C865E91573244CB315A14CBA4

Function 03053920 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752f9796dbdd5c1cfa104b1c3ca726d24360ff9a87e6f98f86333b68030ae4b9
Instruction ID: 28f1777bb40cb4c9b653c30a515a6a0f13b092c43a6c1df6b5bf2a58e5cc9ee7
Opcode Fuzzy Hash: 752f9796dbdd5c1cfa104b1c3ca726d24360ff9a87e6f98f86333b68030ae4b9
Instruction Fuzzy Hash: 06D0A73160030C57CF14DFF4841157EBBB9DB442007404959D80AC7200ED318F0046DA

Function 030531CA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18f455a778d9c25d1afe7eaa68059e2acf459d5b2a6ab816057a678bbb2e4b2
Instruction ID: da685d26a0671f7ca0118ee3c6321461c97847b187a38f510c2f81878115b471
Opcode Fuzzy Hash: f18f455a778d9c25d1afe7eaa68059e2acf459d5b2a6ab816057a678bbb2e4b2
Instruction Fuzzy Hash: 15D0A7364491818AEB21C7B8EA8B3557FE1BB02215F4D45D98C1D4B2A2D729C066C744

Function 03053960 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97063e923eee7176067e93ee6ba367410a2615493582989a2f081c249fabea1
Instruction ID: ffbd00c20e0fcdd3ed578c45723e7a9dfea862d5d65b99e67bfdb98fddff2e3d
Opcode Fuzzy Hash: e97063e923eee7176067e93ee6ba367410a2615493582989a2f081c249fabea1
Instruction Fuzzy Hash: 3ED012317503288BCB192778A00D06D7FE9EB49122308547BF806C3310DE76CC0187C4

Function 03050840 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1023882922.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeefbc8b753873f3f9e57aefa179947ed69e610919cc8f5f0ed1cc7b279990e7
Instruction ID: 9e83aed36ff356cb7a9dbd7fc9e28450260adf8fc51fa757eefa49a64bd6cd39
Opcode Fuzzy Hash: aeefbc8b753873f3f9e57aefa179947ed69e610919cc8f5f0ed1cc7b279990e7
Instruction Fuzzy Hash: 4FD0C96940E3C20FCB4B46246C1D12A6F746993776BDA48DBD0C0C5297E144881587B2

Analysis Process: Client.exePID: 7080, Parent PID: 6792COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 02DE6840 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 02DE6862

Memory Dump Source

Source File: 00000001.00000002.3430027202.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de0000_Client.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0406db23564185386b7bae85ca1d71e5a0d3ac07584a4040e0b72e5c6b0a5602
Instruction ID: 49e502b7e4a3cc694babce92e386f0e95be035935719bb74937025fa1a5e5a9d
Opcode Fuzzy Hash: 0406db23564185386b7bae85ca1d71e5a0d3ac07584a4040e0b72e5c6b0a5602
Instruction Fuzzy Hash: 12418E31A002148FDB14EF74D89869DBBB6EF98710B048665D80AEB359DF34DD82CBE1

Function 02DEB8E4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DEBC96,?,?,?,?,?), ref: 02DEBD57

Memory Dump Source

Source File: 00000001.00000002.3430027202.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de0000_Client.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bfad02a29f5e700dcaecc039b9e984987c102692dfee01007fedbf6396bfc028
Instruction ID: 3479f8215d69ee2e929546f4df48ab1de033fb2767352997fbc9060e2af90a40
Opcode Fuzzy Hash: bfad02a29f5e700dcaecc039b9e984987c102692dfee01007fedbf6396bfc028
Instruction Fuzzy Hash: 032103B5900248AFDB10CFAAD484AEEFBF4FB48314F10841AE919A3310D374A940CFA4

Function 02DEBCC9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DEBC96,?,?,?,?,?), ref: 02DEBD57

Memory Dump Source

Source File: 00000001.00000002.3430027202.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de0000_Client.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 394a25b92fdf3555f7e5f520e46f81bc05bb3980dc586b2349520263a64f9fcc
Instruction ID: c224181ee85b0b7e5cf467f77fe0a9f6adf75a0833c8cebbf0dccf2063fadd6b
Opcode Fuzzy Hash: 394a25b92fdf3555f7e5f520e46f81bc05bb3980dc586b2349520263a64f9fcc
Instruction Fuzzy Hash: A521E3B5900249AFDB10CFAAD885ADEBBF5FB48314F14841AE919A3350D374A940CF64

Function 0135D5E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3429761211.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_135d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a5c868955fadd4453a0b6f1185a727397e7fe7deceed5849ea12a1a5d4ed64
Instruction ID: 0b8da708bfe3407dbce8db76572803d5bda354e289061113729366d75061eb49
Opcode Fuzzy Hash: c2a5c868955fadd4453a0b6f1185a727397e7fe7deceed5849ea12a1a5d4ed64
Instruction Fuzzy Hash: 7D2130B2504344DFDB05DF94D9C0F26BBA5FB88728F60C169EC0A0B246C336D856CAB2

Function 02C5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3429834984.0000000002C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c5d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acd690111394c7d5bcf80b170d17f2feaa72b0b0205ee47351156cf2cdcc601
Instruction ID: c944e07b9d87a7ad95ab1038463a2bcd453107bd604b418679edccd9a07823e3
Opcode Fuzzy Hash: 4acd690111394c7d5bcf80b170d17f2feaa72b0b0205ee47351156cf2cdcc601
Instruction Fuzzy Hash: D821D071604340DFDB14DF10D9C0B16BBA5EFC4214F20C5A9EC0A4B296C37AD887CAA6

Function 02C5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3429834984.0000000002C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c5d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826580fc5f6e706886a5cf426fecf547d569c32b344c77d3948fab6e8c9defc0
Instruction ID: 663d88b202b2b33c3361ede386661b7c4c9aeafaa46b1b017a73053eb06cc3ab
Opcode Fuzzy Hash: 826580fc5f6e706886a5cf426fecf547d569c32b344c77d3948fab6e8c9defc0
Instruction Fuzzy Hash: 39217F755093808FCB02CF20D590715BF71EF86214F28C5EAD8498B2A7C33AD84ACBA2

Function 0135D5DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3429761211.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_135d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baab7f8d123f28d322c4ffd644cf3688b32af57504046ee8038241dcee65357b
Instruction ID: cccf07db73d4bd442e693b33d6e9870f604e23ad6b7acdc6062a31c8a056a351
Opcode Fuzzy Hash: baab7f8d123f28d322c4ffd644cf3688b32af57504046ee8038241dcee65357b
Instruction Fuzzy Hash: 32119A76504280CFDB16CF54D9C4B16BF72FB88724F2486A9DC094A257C33AD45ACBA2

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Client.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

C:\Users\user\AppData\Local\Temp\Client.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Client.exe