Windows Analysis Report
6PJia32WYA.exe

Overview

General Information

Sample name: 6PJia32WYA.exe
renamed because original name is a hash value
Original sample name: 3ED98FE03E24701A6E755734D55EEE91.exe
Analysis ID: 1540667
MD5: 3ed98fe03e24701a6e755734d55eee91
SHA1: 95977cc2fc7b9ae40288bd0696244ad76c42dcc3
SHA256: 0a7b6765858909fdd38fe2266d11521f95928c5f3d05b7672f1146d6016191b3
Tags: exenjratRATuser-abuse_ch
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection

barindex
Source: 6PJia32WYA.exe Avira: detected
Source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Njrat {"Host": "effects-tropical.gl.at.ply.gg", "Port": "22815", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "6aa928d68a624"}
Source: 6PJia32WYA.exe ReversingLabs: Detection: 94%
Source: Yara match File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: 6PJia32WYA.exe Joe Sandbox ML: detected
Source: 6PJia32WYA.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\6PJia32WYA.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: 6PJia32WYA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49705 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49705 -> 147.185.221.23:22815
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49705 -> 147.185.221.23:22815
Source: global traffic TCP traffic: 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Joe Sandbox View IP Address: 147.185.221.23 147.185.221.23
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: effects-tropical.gl.at.ply.gg
Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.
Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.LinkId=42127

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: 6PJia32WYA.exe, Keylogger.cs .Net Code: VKCodeToUnicode

E-Banking Fraud

barindex
Source: Yara match File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR
Source: 6PJia32WYA.exe, 00000000.00000000.1439535818.0000000000908000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe4 vs 6PJia32WYA.exe
Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs 6PJia32WYA.exe
Source: 6PJia32WYA.exe Binary or memory string: OriginalFilenameClient.exe4 vs 6PJia32WYA.exe
Source: 6PJia32WYA.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\6PJia32WYA.exe Code function: 0_2_0524255A AdjustTokenPrivileges, 0_2_0524255A
Source: C:\Users\user\Desktop\6PJia32WYA.exe Code function: 0_2_05242523 AdjustTokenPrivileges, 0_2_05242523
Source: C:\Users\user\Desktop\6PJia32WYA.exe Mutant created: NULL
Source: C:\Users\user\Desktop\6PJia32WYA.exe Mutant created: \Sessions\1\BaseNamedObjects\6aa928d68a624
Source: C:\Users\user\Desktop\6PJia32WYA.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: 6PJia32WYA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6PJia32WYA.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\6PJia32WYA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 6PJia32WYA.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: 6PJia32WYA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\6PJia32WYA.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: 6PJia32WYA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: 6PJia32WYA.exe, Program.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Memory allocated: F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Memory allocated: 12B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Window / User API: threadDelayed 3638 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Window / User API: threadDelayed 5707 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Window / User API: foregroundWindowGot 1759 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472 Thread sleep count: 147 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5832 Thread sleep count: 3638 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472 Thread sleep count: 5707 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472 Thread sleep time: -5707000s >= -30000s Jump to behavior
Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\6PJia32WYA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 6PJia32WYA.exe, Program.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: 6PJia32WYA.exe, Keylogger.cs Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 6PJia32WYA.exe, Keylogger.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.000000000308D000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000032CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.000000000308D000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000032CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@9_l
Source: C:\Users\user\Desktop\6PJia32WYA.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs