Windows Analysis Report
6PJia32WYA.exe

Overview

General Information

Sample name:	6PJia32WYA.exe renamed because original name is a hash value
Original sample name:	3ED98FE03E24701A6E755734D55EEE91.exe
Analysis ID:	1540667
MD5:	3ed98fe03e24701a6e755734d55eee91
SHA1:	95977cc2fc7b9ae40288bd0696244ad76c42dcc3
SHA256:	0a7b6765858909fdd38fe2266d11521f95928c5f3d05b7672f1146d6016191b3
Tags:	exenjratRATuser-abuse_ch
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6PJia32WYA.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "effects-tropical.gl.at.ply.gg", "Port": "22815", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "6aa928d68a624"}

Multi AV Scanner detection for submitted file

Source: 6PJia32WYA.exe

ReversingLabs: Detection: 94%

Yara detected Njrat

Source: Yara match	File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 6PJia32WYA.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 6PJia32WYA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6PJia32WYA.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 6PJia32WYA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.8:49710 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49704 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.8:49709 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.8:49711 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49705 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.8:49705 -> 147.185.221.23:22815
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.8:49705 -> 147.185.221.23:22815

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 147.185.221.23:22815

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: effects-tropical.gl.at.ply.gg

Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 6PJia32WYA.exe, Keylogger.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR

Sample file is different than original file name gathered from version info

Source: 6PJia32WYA.exe, 00000000.00000000.1439535818.0000000000908000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs 6PJia32WYA.exe
Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs 6PJia32WYA.exe
Source: 6PJia32WYA.exe	Binary or memory string: OriginalFilenameClient.exe4 vs 6PJia32WYA.exe

Uses 32bit PE files

Source: 6PJia32WYA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Code function: 0_2_0524255A AdjustTokenPrivileges,		0_2_0524255A
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Code function: 0_2_05242523 AdjustTokenPrivileges,		0_2_05242523

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Mutant created: \Sessions\1\BaseNamedObjects\6aa928d68a624
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 6PJia32WYA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6PJia32WYA.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\6PJia32WYA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6PJia32WYA.exe

ReversingLabs: Detection: 94%

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\6PJia32WYA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\6PJia32WYA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 6PJia32WYA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\6PJia32WYA.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 6PJia32WYA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 6PJia32WYA.exe, Program.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Memory allocated: 12B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Window / User API: threadDelayed 3638	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Window / User API: threadDelayed 5707	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Window / User API: foregroundWindowGot 1759	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472	Thread sleep time: -147000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5832	Thread sleep count: 3638 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472	Thread sleep count: 5707 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe TID: 5472	Thread sleep time: -5707000s >= -30000s	Jump to behavior

Source: 6PJia32WYA.exe, 00000000.00000002.3903370906.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\6PJia32WYA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\6PJia32WYA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 6PJia32WYA.exe, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: 6PJia32WYA.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 6PJia32WYA.exe, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Source: 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.000000000308D000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000032CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.000000000308D000.00000004.00000800.00020000.00000000.sdmp, 6PJia32WYA.exe, 00000000.00000002.3904333043.00000000032CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9_l

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6PJia32WYA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6PJia32WYA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6PJia32WYA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 6PJia32WYA.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6PJia32WYA.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1439518855.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6PJia32WYA.exe PID: 5404, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	effects-tropical.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
effects-tropical.gl.at.ply.gg	147.185.221.23	true

ID:	1540667
Product:	CloudBasic
Start time:	00:46:06
Start date:	24.10.2024
Sample:	6PJia32WYA.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3ed98fe03e24701a6e755734d55eee91
SHA1:	95977cc2fc7b9ae40288bd0696244ad76c42dcc3
SHA256:	0a7b6765858909fdd38fe2266d11521f95928c5f3d05b7672f1146d6016191b3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Windows Analysis Report
6PJia32WYA.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report 6PJia32WYA.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
6PJia32WYA.exe

Malware Threat Intel
Provided by