Edit tour
Windows
Analysis Report
xbOnlYALvtUq.exe
Overview
General Information
Detection
Njrat, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Connects to many ports of the same IP (likely port scanning)
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Classification
- System is w10x64
- xbOnlYALvtUq.exe (PID: 3472 cmdline:
C:\Users\u ser\Deskto p\xbOnlYAL vtUq.exe MD5: 2BDC913D338E004AC337CFE9A44ABC55) - netsh.exe (PID: 5148 cmdline:
netsh fire wall add a llowedprog ram "C:\Us ers\user\D esktop\xbO nlYALvtUq. exe" "xbOn lYALvtUq.e xe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 2316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"Host": "0.tcp.sa.ngrok.io", "Port": "13065", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat_1 | Yara detected Njrat | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
Click to see the 3 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.518.228.115.6049704130652825564 11/21/23-03:38:52.649286 |
SID: | 2825564 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652825563 11/21/23-03:35:58.376585 |
SID: | 2825563 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049713130652022061 11/21/23-03:37:00.931357 |
SID: | 2022061 |
Source Port: | 49713 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652814860 11/21/23-03:38:53.381901 |
SID: | 2814860 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049713130652022060 11/21/23-03:36:22.077496 |
SID: | 2022060 |
Source Port: | 49713 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652825565 11/21/23-03:37:00.623314 |
SID: | 2825565 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652033132 11/21/23-03:35:58.171440 |
SID: | 2033132 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652019214 11/21/23-03:37:00.623314 |
SID: | 2019214 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652814856 11/21/23-03:35:58.376585 |
SID: | 2814856 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.518.228.115.6049704130652022059 11/21/23-03:36:21.801212 |
SID: | 2022059 |
Source Port: | 49704 |
Destination Port: | 13065 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 18.228.115.60192.168.2.513065497042814858 11/21/23-03:36:20.299135 |
SID: | 2814858 |
Source Port: | 13065 |
Destination Port: | 49704 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |