Windows Analysis Report
qccPe3dO1l.exe

Overview

General Information

Sample name: qccPe3dO1l.exe
renamed because original name is a hash value
Original sample name: 4c471dbef461ae0fc6401bff21f00ecb.exe
Analysis ID: 1514614
MD5: 4c471dbef461ae0fc6401bff21f00ecb
SHA1: 80a2f9c98e682e53da78fdd9c6dc3e81c43c225b
SHA256: 4a67b99e3b666fdb104edeb7e51db77269fb93744027d8c67022f8ecdaf5141f
Tags: exenjratRAT
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Disables zone checking for all users
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Protects its processes via BreakOnTermination flag
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: qccPe3dO1l.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Found malware configuration
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Njrat {"Host": "seznam.hopto.org", "Port": "1177", "Version": "0.7d", "Campaign ID": "KARLA 1998", "Install Name": "facebok.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\facebok.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe ReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: qccPe3dO1l.exe ReversingLabs: Detection: 73%
Yara detected Njrat
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4175086673.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4211820791.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qccPe3dO1l.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 5024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 2088, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: qccPe3dO1l.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: qccPe3dO1l.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: qccPe3dO1l.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49732 -> 34.145.18.233:1177
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49732 -> 34.145.18.233:1177
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49732 -> 34.145.18.233:1177
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49732 -> 34.145.18.233:1177
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49732 -> 34.145.18.233:1177
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.4:49732 -> 34.145.18.233:1177
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 34.145.18.233:1177
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_0146A09A recv, 1_2_0146A09A
Source: global traffic DNS traffic detected: DNS query: seznam.hopto.org

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, kl.cs .Net Code: VKCodeToUnicode

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4175086673.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4211820791.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qccPe3dO1l.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 5024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 2088, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: qccPe3dO1l.exe, a.cs Large array initialization: a: array initializer size 250470
Source: facebok.exe.0.dr, a.cs Large array initialization: a: array initializer size 250470
Source: 36db42ed563b740681ec3918ded7c343.exe.1.dr, a.cs Large array initialization: a: array initializer size 250470
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_0146BBC6 NtSetInformationProcess, 1_2_0146BBC6
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_0146BBA4 NtSetInformationProcess, 1_2_0146BBA4
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_059E7B38 1_2_059E7B38
Sample file is different than original file name gathered from version info
Source: qccPe3dO1l.exe, 00000000.00000002.1765233889.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs qccPe3dO1l.exe
Source: qccPe3dO1l.exe, 00000000.00000000.1694488742.000000000060A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameROTANA PC.exe4 vs qccPe3dO1l.exe
Source: qccPe3dO1l.exe Binary or memory string: OriginalFilenameROTANA PC.exe4 vs qccPe3dO1l.exe
Uses 32bit PE files
Source: qccPe3dO1l.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: classification engine Classification label: mal100.phis.troj.adwa.spyw.evad.winEXE@9/5@1/1
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_0146B876 AdjustTokenPrivileges, 1_2_0146B876
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_0146B83F AdjustTokenPrivileges, 1_2_0146B83F
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\qccPe3dO1l.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Mutant created: \Sessions\1\BaseNamedObjects\36db42ed563b740681ec3918ded7c343
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File created: C:\Users\user\AppData\Local\Temp\facebok.exe Jump to behavior
Source: qccPe3dO1l.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qccPe3dO1l.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: qccPe3dO1l.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File read: C:\Users\user\Desktop\qccPe3dO1l.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\qccPe3dO1l.exe "C:\Users\user\Desktop\qccPe3dO1l.exe"
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process created: C:\Users\user\AppData\Local\Temp\facebok.exe "C:\Users\user\AppData\Local\Temp\facebok.exe"
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\facebok.exe" "facebok.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\facebok.exe "C:\Users\user\AppData\Local\Temp\facebok.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\facebok.exe "C:\Users\user\AppData\Local\Temp\facebok.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\facebok.exe "C:\Users\user\AppData\Local\Temp\facebok.exe" ..
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process created: C:\Users\user\AppData\Local\Temp\facebok.exe "C:\Users\user\AppData\Local\Temp\facebok.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\facebok.exe" "facebok.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: qccPe3dO1l.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: qccPe3dO1l.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: qccPe3dO1l.exe Static file information: File size 1520640 > 1048576
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: qccPe3dO1l.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x136e00
Source: qccPe3dO1l.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: qccPe3dO1l.exe, d.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: facebok.exe.0.dr, d.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 36db42ed563b740681ec3918ded7c343.exe.1.dr, d.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 7.2.facebok.exe.5eb725c.0.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 8.2.facebok.exe.5ff8534.0.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 9.2.facebok.exe.5ea3770.0.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_01462EC1 pushad ; retf 1_2_01462EC2
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Code function: 1_2_014631A1 push esp; ret 1_2_014631B6
Source: qccPe3dO1l.exe Static PE information: section name: .text entropy: 7.354008577783102
Source: facebok.exe.0.dr Static PE information: section name: .text entropy: 7.354008577783102
Source: 36db42ed563b740681ec3918ded7c343.exe.1.dr Static PE information: section name: .text entropy: 7.354008577783102
Drops PE files
Source: C:\Users\user\Desktop\qccPe3dO1l.exe File created: C:\Users\user\AppData\Local\Temp\facebok.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\facebok.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36db42ed563b740681ec3918ded7c343 Jump to behavior
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\facebok.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\facebok.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\facebok.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36db42ed563b740681ec3918ded7c343.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36db42ed563b740681ec3918ded7c343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36db42ed563b740681ec3918ded7c343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 36db42ed563b740681ec3918ded7c343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 36db42ed563b740681ec3918ded7c343 Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: FF0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 5170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 4E30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 6170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 7170000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 73C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 83C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 93C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: A3C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: B3C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: B850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: C850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: D850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: E850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: F850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 10850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 11850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 12850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 13850000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 14160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 15160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 16160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 17160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 18160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 19160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 1A160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: 1B160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 34F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 54F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 59F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 56F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 69F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 79F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 7C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 8C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 9C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: AC40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: BC40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: C0D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: D0D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: E0D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: F0D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 100D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 110D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 120D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 130D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 140D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 149E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 159E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 169E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 179E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 189E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 199E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1A9E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 3560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 5560000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 5AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 57A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 6AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 7AF0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 7D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 8D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 9D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: AD40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: BD40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: C1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: D1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: E1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: F1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 101D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 111D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 121D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 131D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 141D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 14AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 15AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 16AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 17AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 18AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 19AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1AAE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1BAE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 14A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 3510000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 5510000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 59B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 56B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 69B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 79B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 7C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 8C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 9C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: AC00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: BC00000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: C090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: D090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: E090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: F090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 10090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 11090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 12090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 13090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 14090000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 149A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 159A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 169A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 179A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 189A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 199A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1A9A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1B9A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 14F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 3260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 5260000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 5780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 5450000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 6780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 7780000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 79D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 89D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 99D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: A9D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: B9D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: BE60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: CE60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: DE60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: EE60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: FE60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 10E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 11E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 12E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 13E60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 14770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 15770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 16770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 17770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 18770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 19770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1A770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Memory allocated: 1B770000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Window / User API: threadDelayed 1728 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Window / User API: threadDelayed 3457 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Window / User API: threadDelayed 4092 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Window / User API: foregroundWindowGot 1754 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\qccPe3dO1l.exe TID: 6688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe TID: 4820 Thread sleep time: -1728000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe TID: 4820 Thread sleep time: -4092000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe TID: 2676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe TID: 2424 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe TID: 5904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: facebok.exe, 00000001.00000002.4163993268.00000000015AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld364e35"/>
Source: netsh.exe, 00000002.00000003.1843224983.00000000009A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, kl.cs Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, kl.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, OK.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\qccPe3dO1l.exe Process created: C:\Users\user\AppData\Local\Temp\facebok.exe "C:\Users\user\AppData\Local\Temp\facebok.exe" Jump to behavior
Source: facebok.exe, 00000001.00000002.4211820791.0000000005D86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: facebok.exe, 00000001.00000002.4211820791.0000000005D86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@9#l
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\facebok.exe" "facebok.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\facebok.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\facebok.exe" "facebok.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4175086673.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4211820791.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qccPe3dO1l.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 5024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 2088, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.facebok.exe.5eb725c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.4e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.facebok.exe.5ea3770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.facebok.exe.5ff8534.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qccPe3dO1l.exe.55f2184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2231811302.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4175086673.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781595988.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2146657112.0000000005FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1781774307.0000000005471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088258371.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4211820791.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qccPe3dO1l.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 5024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: facebok.exe PID: 2088, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1514614 Sample: qccPe3dO1l.exe Startdate: 20/09/2024 Architecture: WINDOWS Score: 100 33 seznam.hopto.org 2->33 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 13 other signatures 2->43 9 qccPe3dO1l.exe 1 5 2->9         started        12 facebok.exe 3 2->12         started        14 facebok.exe 2 2->14         started        16 facebok.exe 2 2->16         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\facebok.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\...\qccPe3dO1l.exe.log, ASCII 9->31 dropped 18 facebok.exe 4 5 9->18         started        process6 dnsIp7 35 seznam.hopto.org 34.145.18.233, 1177, 49732 ATGS-MMD-ASUS United States 18->35 27 C:\...\36db42ed563b740681ec3918ded7c343.exe, PE32 18->27 dropped 45 Antivirus detection for dropped file 18->45 47 Multi AV Scanner detection for dropped file 18->47 49 Protects its processes via BreakOnTermination flag 18->49 51 6 other signatures 18->51 23 netsh.exe 2 18->23         started        file8 signatures9 process10 process11 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.145.18.233
 seznam.hopto.org United States
2686 ATGS-MMD-ASUS true

Contacted Domains

Name IP Active
seznam.hopto.org 34.145.18.233 true