Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xbOnlYALvtUq.exe

Overview

General Information

Sample Name:xbOnlYALvtUq.exe
Analysis ID:1345566
MD5:2bdc913d338e004ac337cfe9a44abc55
SHA1:29feda66e04422c0d506048ea8123771269faa82
SHA256:f2f0353f1f50aa9a76a1ab978430f1a6e85d95d8ce7ee66230beda0927863cfc
Tags:exenjRat
Infos:

Detection

Njrat, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Connects to many ports of the same IP (likely port scanning)
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports

Classification

  • System is w10x64
  • xbOnlYALvtUq.exe (PID: 3472 cmdline: C:\Users\user\Desktop\xbOnlYALvtUq.exe MD5: 2BDC913D338E004AC337CFE9A44ABC55)
    • netsh.exe (PID: 5148 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\xbOnlYALvtUq.exe" "xbOnlYALvtUq.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat
{"Host": "0.tcp.sa.ngrok.io", "Port": "13065", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
SourceRuleDescriptionAuthorStrings
xbOnlYALvtUq.exeJoeSecurity_NjratYara detected NjratJoe Security
    xbOnlYALvtUq.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x3c9a:$a1: get_Registry
    • 0x4d66:$a2: SEE_MASK_NOZONECHECKS
    • 0x4e62:$a3: Download ERROR
    • 0x4d28:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x4cba:$a5: netsh firewall delete allowedprogram "
    xbOnlYALvtUq.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d28:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4e80:$s3: Executed As
    • 0x4e62:$s6: Download ERROR
    xbOnlYALvtUq.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4d96:$a1: netsh firewall add allowedprogram
    • 0x4d66:$a2: SEE_MASK_NOZONECHECKS
    • 0x5010:$b1: [TAP]
    • 0x4d28:$c3: cmd.exe /c ping
    xbOnlYALvtUq.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d66:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e3e:$msg: Execute ERROR
    • 0x4e9a:$msg: Execute ERROR
    • 0x4d28:$ping: cmd.exe /c ping 0 -n 2 & del
    Click to see the 1 entries
    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_Njrat_1Yara detected NjratJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x3a9a:$a1: get_Registry
        • 0x4b66:$a2: SEE_MASK_NOZONECHECKS
        • 0x4c62:$a3: Download ERROR
        • 0x4b28:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x4aba:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x4b96:$a1: netsh firewall add allowedprogram
        • 0x4b66:$a2: SEE_MASK_NOZONECHECKS
        • 0x4e10:$b1: [TAP]
        • 0x4b28:$c3: cmd.exe /c ping
        00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x4b66:$reg: SEE_MASK_NOZONECHECKS
        • 0x4c3e:$msg: Execute ERROR
        • 0x4c9a:$msg: Execute ERROR
        • 0x4b28:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000002.4407298809.00000000059B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
          Click to see the 2 entries
          SourceRuleDescriptionAuthorStrings
          0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            0.2.xbOnlYALvtUq.exe.59b0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.0.xbOnlYALvtUq.exe.7a0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                0.0.xbOnlYALvtUq.exe.7a0000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
                • 0x3c9a:$a1: get_Registry
                • 0x4d66:$a2: SEE_MASK_NOZONECHECKS
                • 0x4e62:$a3: Download ERROR
                • 0x4d28:$a4: cmd.exe /c ping 0 -n 2 & del "
                • 0x4cba:$a5: netsh firewall delete allowedprogram "
                0.0.xbOnlYALvtUq.exe.7a0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
                • 0x4d28:$x1: cmd.exe /c ping 0 -n 2 & del "
                • 0x4e80:$s3: Executed As
                • 0x4e62:$s6: Download ERROR
                Click to see the 3 entries
                No Sigma rule has matched
                Timestamp:192.168.2.518.228.115.6049704130652825564 11/21/23-03:38:52.649286
                SID:2825564
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652825563 11/21/23-03:35:58.376585
                SID:2825563
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049713130652022061 11/21/23-03:37:00.931357
                SID:2022061
                Source Port:49713
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652814860 11/21/23-03:38:53.381901
                SID:2814860
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049713130652022060 11/21/23-03:36:22.077496
                SID:2022060
                Source Port:49713
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652825565 11/21/23-03:37:00.623314
                SID:2825565
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652033132 11/21/23-03:35:58.171440
                SID:2033132
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652019214 11/21/23-03:37:00.623314
                SID:2019214
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652814856 11/21/23-03:35:58.376585
                SID:2814856
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.518.228.115.6049704130652022059 11/21/23-03:36:21.801212
                SID:2022059
                Source Port:49704
                Destination Port:13065
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:18.228.115.60192.168.2.513065497042814858 11/21/23-03:36:20.299135
                SID:2814858
                Source Port:13065
                Destination Port:49704
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Njrat {"Host": "0.tcp.sa.ngrok.io", "Port": "13065", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
                Source: xbOnlYALvtUq.exeReversingLabs: Detection: 92%
                Source: xbOnlYALvtUq.exeVirustotal: Detection: 87%Perma Link
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: xbOnlYALvtUq.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.44