Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report z2d6Yt5v.exe

Overview

General Information

Sample Name:z2d6Yt5v.exe
Analysis ID:321423
MD5:9bb6d4f72a348ad47cc97185604f4dd9
SHA1:7384957e8a29f517654fcbd905861574e772d3ed
SHA256:0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
Tags:exenjRat

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected njRat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • z2d6Yt5v.exe (PID: 6072 cmdline: 'C:\Users\user\Desktop\z2d6Yt5v.exe' MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
    • Core Service.exe (PID: 4464 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
      • netsh.exe (PID: 5416 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Core Service.exe (PID: 4276 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • Core Service.exe (PID: 4760 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • Core Service.exe (PID: 6100 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
z2d6Yt5v.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4ea2:$s3: Executed As
  • 0x4e84:$s6: Download ERROR
z2d6Yt5v.exeJoeSecurity_NjratYara detected NjratJoe Security
    z2d6Yt5v.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4db8:$a1: netsh firewall add allowedprogram
    • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
    • 0x5032:$b1: [TAP]
    • 0x4d4a:$c3: cmd.exe /c ping
    z2d6Yt5v.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d88:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e60:$msg: Execute ERROR
    • 0x4ebc:$msg: Execute ERROR
    • 0x4d4a:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea2:$s3: Executed As
    • 0x4e84:$s6: Download ERROR
    C:\Users\user\AppData\Local\Temp\Core Service.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea2:$s3: Executed As
    • 0x4e84:$s6: Download ERROR
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Local\Temp\Core Service.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Users\user\AppData\Local\Temp\Core Service.exenjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x4db8:$a1: netsh firewall add allowedprogram
        • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
        • 0x5032:$b1: [TAP]
        • 0x4d4a:$c3: cmd.exe /c ping
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x4bb8:$a1: netsh firewall add allowedprogram
          • 0x4b88:$a2: SEE_MASK_NOZONECHECKS
          • 0x4e32:$b1: [TAP]
          • 0x4b4a:$c3: cmd.exe /c ping
          00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
          • 0x4b88:$reg: SEE_MASK_NOZONECHECKS
          • 0x4c60:$msg: Execute ERROR
          • 0x4cbc:$msg: Execute ERROR
          • 0x4b4a:$ping: cmd.exe /c ping 0 -n 2 & del
          0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4bb8:$a1: netsh firewall add allowedprogram
            • 0x4b88:$a2: SEE_MASK_NOZONECHECKS
            • 0x4e32:$b1: [TAP]
            • 0x4b4a:$c3: cmd.exe /c ping
            Click to see the 34 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.Core Service.exe.8b0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x4ea2:$s3: Executed As
            • 0x4e84:$s6: Download ERROR
            2.0.Core Service.exe.8b0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              2.0.Core Service.exe.8b0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x4db8:$a1: netsh firewall add allowedprogram
              • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
              • 0x5032:$b1: [TAP]
              • 0x4d4a:$c3: cmd.exe /c ping
              2.0.Core Service.exe.8b0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x4d88:$reg: SEE_MASK_NOZONECHECKS
              • 0x4e60:$msg: Execute ERROR
              • 0x4ebc:$msg: Execute ERROR
              • 0x4d4a:$ping: cmd.exe /c ping 0 -n 2 & del
              15.0.Core Service.exe.920000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x4ea2:$s3: Executed As
              • 0x4e84:$s6: Download ERROR
              Click to see the 35 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Netsh Port or Application AllowedShow sources
              Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\Core Service.exe, ParentProcessId: 4464, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, ProcessId: 5416

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: z2d6Yt5v.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeAvira: detection malicious, Label: TR/Dropper.Gen7
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeAvira: detection malicious, Label: TR/Dropper.Gen7
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeVirustotal: Detection: 84%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMetadefender: Detection: 89%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeReversingLabs: Detection: 89%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeVirustotal: Detection: 84%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeMetadefender: Detection: 89%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeReversingLabs: Detection: 89%
              Multi AV Scanner detection for submitted fileShow sources
              Source: z2d6Yt5v.exeVirustotal: Detection: 84%Perma Link
              Source: z2d6Yt5v.exeMetadefender: Detection: 89%Perma Link
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: z2d6Yt5v.exeJoe Sandbox ML: detected
              Source: 15.2.Core Service.exe.920000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 15.0.Core Service.exe.920000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 7.2.Core Service.exe.ec0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 2.2.Core Service.exe.8b0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 2.0.Core Service.exe.8b0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 10.0.Core Service.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 7.0.Core Service.exe.ec0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 10.2.Core Service.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: global trafficTCP traffic: 192.168.2.3:49722 -> 81.249.236.18:5553
              Source: unknownDNS traffic detected: queries for: noiphack93.hopto.org

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: z2d6Yt5v.exe, kl.cs.Net Code: VKCodeToUnicode
              Source: Core Service.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.cs.Net Code: VKCodeToUnicode
              Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 10.0.Core Service.exe.810000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 10.2.Core Service.exe.810000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 15.2.Core Service.exe.920000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 15.0.Core Service.exe.920000.0.unpack, kl.cs.Net Code: VKCodeToUnicode

              E-Banking Fraud:

              barindex
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31BBA NtQuerySystemInformation,
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31B7F NtQuerySystemInformation,
              Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, 00000000.00000002.211523908.0000000004E80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@5/1
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31606 AdjustTokenPrivileges,
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B315CF AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\z2d6Yt5v.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMutant created: \Sessions\1\BaseNamedObjects\af48625ee196d906557ab2d838a9cc2f
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Temp\Core Service.exeJump to behavior
              Source: z2d6Yt5v.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: z2d6Yt5v.exeVirustotal: Detection: 84%
              Source: z2d6Yt5v.exeMetadefender: Detection: 89%
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile read: C:\Users\user\Desktop\z2d6Yt5v.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\z2d6Yt5v.exe 'C:\Users\user\Desktop\z2d6Yt5v.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
              Source: z2d6Yt5v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: z2d6Yt5v.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: z2d6Yt5v.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: Core Service.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeCode function: 0_2_005E5021 push cs; ret
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_008B5021 push cs; ret
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 7_2_00EC5021 push cs; ret
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 10_2_00815021 push cs; ret
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 15_2_00925021 push cs; ret
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to dropped file
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Temp\Core Service.exeJump to dropped file

              Boot Survival:

              barindex
              Creates autostart registry keys with suspicious namesShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Drops PE files to the startup folderShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeWindow / User API: threadDelayed 6312
              Source: C:\Users\user\Desktop\z2d6Yt5v.exe TID: 3984Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 5036Thread sleep count: 6312 > 30
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 2308Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 2044Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 5372Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: Core Service.exe, 00000002.00000002.460157889.000000000103C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWdingCollectionE)
              Source: Core Service.exe, 00000002.00000002.460157889.000000000103C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliceFiltersSection, System.Web.Mobile, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: z2d6Yt5v.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: z2d6Yt5v.exe, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: Core Service.exe.0.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: Core Service.exe.0.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 10.0.Core Service.exe.810000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 10.2.Core Service.exe.810000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 15.2.Core Service.exe.920000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 15.0.Core Service.exe.920000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'
              Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmpBinary or memory string: Program Manager
              Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmpBinary or memory string: Program Manager|9kr
              Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmpBinary or memory string: Program Manager<
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Modifies the windows firewallShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE

              Stealing of Sensitive Information:

              barindex
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected njRatShow sources
              Source: z2d6Yt5v.exe, OK.cs.Net Code: njRat config detected
              Source: Core Service.exe.0.dr, OK.cs.Net Code: njRat config detected
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs.Net Code: njRat config detected
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs.Net Code: njRat config detected
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1Startup Items1Startup Items1Masquerading1Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Access Token Manipulation1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Process Injection12Disable or Modify Tools21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder221Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 321423 Sample: z2d6Yt5v.exe Startdate: 22/11/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 12 other signatures 2->40 8 z2d6Yt5v.exe 1 5 2->8         started        11 Core Service.exe 3 2->11         started        13 Core Service.exe 2 2->13         started        15 Core Service.exe 2 2->15         started        process3 file4 28 C:\Users\user\AppData\...\Core Service.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\...\z2d6Yt5v.exe.log, ASCII 8->30 dropped 17 Core Service.exe 4 5 8->17         started        process5 dnsIp6 32 noiphack93.hopto.org 81.249.236.18, 5553 FranceTelecom-OrangeFR France 17->32 26 C:\...\af48625ee196d906557ab2d838a9cc2f.exe, PE32 17->26 dropped 42 Creates autostart registry keys with suspicious names 17->42 22 netsh.exe 1 3 17->22         started        file7 signatures8 process9 process10 24 conhost.exe 22->24         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              z2d6Yt5v.exe84%VirustotalBrowse
              z2d6Yt5v.exe89%MetadefenderBrowse
              z2d6Yt5v.exe100%AviraTR/Dropper.Gen7
              z2d6Yt5v.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe100%AviraTR/Dropper.Gen7
              C:\Users\user\AppData\Local\Temp\Core Service.exe100%AviraTR/Dropper.Gen7
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Core Service.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Core Service.exe84%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\Core Service.exe89%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\Core Service.exe90%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe84%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe89%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe90%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              15.2.Core Service.exe.920000.0.unpack100%AviraTR/Dropper.Gen7Download File
              15.0.Core Service.exe.920000.0.unpack100%AviraTR/Dropper.Gen7Download File
              7.2.Core Service.exe.ec0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              0.0.z2d6Yt5v.exe.5e0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              2.2.Core Service.exe.8b0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              2.0.Core Service.exe.8b0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              10.0.Core Service.exe.810000.0.unpack100%AviraTR/Dropper.Gen7Download File
              7.0.Core Service.exe.ec0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              0.2.z2d6Yt5v.exe.5e0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              10.2.Core Service.exe.810000.0.unpack100%AviraTR/Dropper.Gen7Download File

              Domains

              SourceDetectionScannerLabelLink
              noiphack93.hopto.org1%VirustotalBrowse

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              noiphack93.hopto.org
              		81.249.236.18
              		truefalseunknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              81.249.236.18
              		unknownFrance
              		3215FranceTelecom-OrangeFRfalse

              General Information

              Joe Sandbox Version:31.0.0 Red Diamond
              Analysis ID:321423
              Start date:22.11.2020
              Start time:00:39:15
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 7s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:z2d6Yt5v.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:30
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.adwa.spyw.evad.winEXE@9/5@5/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 2.1% (good quality ratio 1.9%)
              • Quality average: 71%
              • Quality standard deviation: 21.5%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
              • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 51.104.144.132, 92.122.144.200, 20.54.26.129, 8.253.204.249, 8.253.95.121, 8.248.131.254, 8.248.115.254, 8.253.204.120, 51.104.139.180, 92.122.213.194, 92.122.213.247
              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:40:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f "C:\Users\user\AppData\Local\Temp\Core Service.exe" ..
              00:40:25AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f "C:\Users\user\AppData\Local\Temp\Core Service.exe" ..
              00:40:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f "C:\Users\user\AppData\Local\Temp\Core Service.exe" ..
              00:40:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              81.249.236.18ErdS9XEU.exeGet hashmaliciousBrowse
                rTay7rkg.exeGet hashmaliciousBrowse

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  FranceTelecom-OrangeFRErdS9XEU.exeGet hashmaliciousBrowse
                  • 81.249.236.18
                  rTay7rkg.exeGet hashmaliciousBrowse
                  • 81.249.236.18
                  http://cdn.webbrowserbase.com/Bins/ASPGenericWebNavigatorInstaller_2.3.0.14_x64.exeGet hashmaliciousBrowse
                  • 2.3.0.14
                  qwhWqUYlnN.exeGet hashmaliciousBrowse
                  • 80.11.163.139
                  https://boolatona.live/5214774454/Get hashmaliciousBrowse
                  • 80.12.40.169
                  http://update2.control4.com/release/2.10.2.549842-res/glassedge-ota_2.10.2.549842-res.zipGet hashmaliciousBrowse
                  • 2.10.2.54
                  http://download.imgburn.com/SetupImgBurn_2.5.8.0.exeGet hashmaliciousBrowse
                  • 2.5.8.0
                  http://download.winzip.com/tools/winzip/releases/7fddd149-5a63-4dab-8e3f-ed9eae46d289_2.11.3.8/or/0/smartalertssetup.exeGet hashmaliciousBrowse
                  • 2.11.3.8
                  newdat.ps1Get hashmaliciousBrowse
                  • 90.121.249.114
                  FederalAgency.x86Get hashmaliciousBrowse
                  • 145.242.17.155
                  https://download.wbxhub.com:443/cgi/adk/chrdl.cgi?wb_id=35781x-0F&iid=WebexplorerGet hashmaliciousBrowse
                  • 2.1.0.5

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Core Service.exe.log
                  Process:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):525
                  Entropy (8bit):5.2874233355119316
                  Encrypted:false
                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                  MD5:80EFBEC081D7836D240503C4C9465FEC
                  SHA1:6AF398E08A359457083727BAF296445030A55AC3
                  SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                  SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\z2d6Yt5v.exe.log
                  Process:C:\Users\user\Desktop\z2d6Yt5v.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):525
                  Entropy (8bit):5.2874233355119316
                  Encrypted:false
                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                  MD5:80EFBEC081D7836D240503C4C9465FEC
                  SHA1:6AF398E08A359457083727BAF296445030A55AC3
                  SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                  SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                  C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Process:C:\Users\user\Desktop\z2d6Yt5v.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):24064
                  Entropy (8bit):5.529551954242191
                  Encrypted:false
                  SSDEEP:384:FYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZ/7oF2:6wWkti/aeRpcnu2N
                  MD5:9BB6D4F72A348AD47CC97185604F4DD9
                  SHA1:7384957E8A29F517654FCBD905861574E772D3ED
                  SHA-256:0A170CA414D288BC25EBB5CE92CCD51FF0F62B1479D669172194BF0067601DF1
                  SHA-512:3A1E4C94AFD24C89A256DECA640467C833547FE431C2041F3AFC6FAFDD3551F7D4F14EDFA5BE6099901D4BB38526FDFE197702DD334C74D98951887187CF2C48
                  Malicious:true
                  Yara Hits:
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: JPCERT/CC Incident Response Group
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 84%, Browse
                  • Antivirus: Metadefender, Detection: 89%, Browse
                  • Antivirus: ReversingLabs, Detection: 90%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................V...........t... ........@.. ....................................@.................................Lt..O.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K.. )....../....................................................0..........r...p.....r...p...........r%..p.....rG..p.....rQ..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rE..p...........*...0..;.......~....o....o....rG..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rG..p~....(....o......(....o.....
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe
                  Process:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):24064
                  Entropy (8bit):5.529551954242191
                  Encrypted:false
                  SSDEEP:384:FYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZ/7oF2:6wWkti/aeRpcnu2N
                  MD5:9BB6D4F72A348AD47CC97185604F4DD9
                  SHA1:7384957E8A29F517654FCBD905861574E772D3ED
                  SHA-256:0A170CA414D288BC25EBB5CE92CCD51FF0F62B1479D669172194BF0067601DF1
                  SHA-512:3A1E4C94AFD24C89A256DECA640467C833547FE431C2041F3AFC6FAFDD3551F7D4F14EDFA5BE6099901D4BB38526FDFE197702DD334C74D98951887187CF2C48
                  Malicious:true
                  Yara Hits:
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: JPCERT/CC Incident Response Group
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 84%, Browse
                  • Antivirus: Metadefender, Detection: 89%, Browse
                  • Antivirus: ReversingLabs, Detection: 90%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................V...........t... ........@.. ....................................@.................................Lt..O.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K.. )....../....................................................0..........r...p.....r...p...........r%..p.....rG..p.....rQ..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rE..p...........*...0..;.......~....o....o....rG..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rG..p~....(....o......(....o.....
                  \Device\ConDrv
                  Process:C:\Windows\SysWOW64\netsh.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):313
                  Entropy (8bit):4.971939296804078
                  Encrypted:false
                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                  MD5:689E2126A85BF55121488295EE068FA1
                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.529551954242191
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                  File name:z2d6Yt5v.exe
                  File size:24064
                  MD5:9bb6d4f72a348ad47cc97185604f4dd9
                  SHA1:7384957e8a29f517654fcbd905861574e772d3ed
                  SHA256:0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
                  SHA512:3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
                  SSDEEP:384:FYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZ/7oF2:6wWkti/aeRpcnu2N
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................V...........t... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x40749e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x5FB99AA1 [Sat Nov 21 22:54:25 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v2.0.50727
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x744c0x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x240.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x54a40x5600False0.490098110465data5.57654676439IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x80000x2400x400False0.310546875data4.9660813397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_MANIFEST0x80580x1e7XML 1.0 document, ASCII text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 22, 2020 00:40:17.890508890 CET497225553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:20.973413944 CET497225553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:26.973902941 CET497225553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:41.291666985 CET497305553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:44.303378105 CET497305553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:50.319463968 CET497305553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:04.526819944 CET497405553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:07.541851044 CET497405553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:13.558038950 CET497405553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:27.847527981 CET497415553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:30.856450081 CET497415553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:36.856708050 CET497415553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:51.167507887 CET497445553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:54.170566082 CET497445553192.168.2.381.249.236.18
                  Nov 22, 2020 00:42:00.186686039 CET497445553192.168.2.381.249.236.18

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 22, 2020 00:39:54.824812889 CET6010053192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:54.852051020 CET53601008.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:55.577775955 CET5319553192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:55.605178118 CET53531958.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:56.278990984 CET5014153192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:56.306338072 CET53501418.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:57.062254906 CET5302353192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:57.098078966 CET53530238.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:58.065080881 CET4956353192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:58.100954056 CET53495638.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:58.990433931 CET5135253192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:59.017735958 CET53513528.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:59.719111919 CET5934953192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:59.755022049 CET53593498.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:01.396975040 CET5708453192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:01.432693958 CET53570848.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:02.044631958 CET5882353192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:02.071861982 CET53588238.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:17.847650051 CET5756853192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:17.885140896 CET53575688.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:20.254879951 CET5054053192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:20.282639980 CET53505408.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:32.367813110 CET5436653192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:32.424653053 CET53543668.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:35.789303064 CET5303453192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:35.842669964 CET53530348.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:41.250149965 CET5776253192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:41.287931919 CET53577628.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:43.834106922 CET5543553192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:43.861291885 CET53554358.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:54.670659065 CET5071353192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:54.697799921 CET53507138.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:58.006330013 CET5613253192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:58.043577909 CET53561328.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:04.489526987 CET5898753192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:04.525306940 CET53589878.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:27.808214903 CET5657953192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:27.845371962 CET53565798.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:28.968875885 CET6063353192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:28.996134043 CET53606338.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:30.149065971 CET6129253192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:30.199475050 CET53612928.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:51.128329992 CET6361953192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:51.164169073 CET53636198.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Nov 22, 2020 00:40:17.847650051 CET192.168.2.38.8.8.80x9347Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:40:41.250149965 CET192.168.2.38.8.8.80xc086Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:04.489526987 CET192.168.2.38.8.8.80x2762Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:27.808214903 CET192.168.2.38.8.8.80x10f1Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:51.128329992 CET192.168.2.38.8.8.80x23ddStandard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Nov 22, 2020 00:40:17.885140896 CET8.8.8.8192.168.2.30x9347No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:40:41.287931919 CET8.8.8.8192.168.2.30xc086No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:04.525306940 CET8.8.8.8192.168.2.30x2762No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:27.845371962 CET8.8.8.8192.168.2.30x10f1No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:51.164169073 CET8.8.8.8192.168.2.30x23ddNo error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: z2d6Yt5v.exe PID: 6072 Parent PID: 5620

                  General

                  Start time:00:39:59
                  Start date:22/11/2020
                  Path:C:\Users\user\Desktop\z2d6Yt5v.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\z2d6Yt5v.exe'
                  Imagebase:0x5e0000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: Core Service.exe PID: 4464 Parent PID: 6072

                  General

                  Start time:00:40:06
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe'
                  Imagebase:0x8b0000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: JPCERT/CC Incident Response Group
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 84%, Virustotal, Browse
                  • Detection: 89%, Metadefender, Browse
                  • Detection: 90%, ReversingLabs
                  Reputation:low

                  Analysis Process: netsh.exe PID: 5416 Parent PID: 4464

                  General

                  Start time:00:40:14
                  Start date:22/11/2020
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
                  Imagebase:0xd90000
                  File size:82944 bytes
                  MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: conhost.exe PID: 1124 Parent PID: 5416

                  General

                  Start time:00:40:14
                  Start date:22/11/2020
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: Core Service.exe PID: 4276 Parent PID: 3388

                  General

                  Start time:00:40:25
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
                  Imagebase:0xec0000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: Core Service.exe PID: 4760 Parent PID: 3388

                  General

                  Start time:00:40:33
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
                  Imagebase:0x810000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: Core Service.exe PID: 6100 Parent PID: 3388

                  General

                  Start time:00:40:41
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
                  Imagebase:0x920000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >