Play interactive tour

Edit tour

Analysis Report 12_pgr.exe

Overview

General Information

Sample Name:	12_pgr.exe
Analysis ID:	399305
MD5:	a08f2fac257abbbdddbbd4439f32cfd0
SHA1:	26d3ed4771b701a82f6aa32b747e27bb26e9864c
SHA256:	bfd5d84c4fed8f9d23f94fe32bb7ee415dbe632c2ebaac642dbfdb73f89d0833
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

njRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected njRat

Found malware configuration

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

12_pgr.exe (PID: 6756 cmdline: 'C:\Users\user\Desktop\12_pgr.exe' MD5: A08F2FAC257ABBBDDDBBD4439F32CFD0)

netsh.exe (PID: 7004 cmdline: netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
12_pgr.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
12_pgr.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12_pgr.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
12_pgr.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9e:$a1: netsh firewall add allowedprogram 0x4b6e:$a2: SEE_MASK_NOZONECHECKS 0x4e18:$b1: [TAP] 0x4b30:$c3: cmd.exe /c ping
00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6e:$reg: SEE_MASK_NOZONECHECKS 0x4c46:$msg: Execute ERROR 0x4ca2:$msg: Execute ERROR 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9e:$a1: netsh firewall add allowedprogram 0x4b6e:$a2: SEE_MASK_NOZONECHECKS 0x4e18:$b1: [TAP] 0x4b30:$c3: cmd.exe /c ping
00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6e:$reg: SEE_MASK_NOZONECHECKS 0x4c46:$msg: Execute ERROR 0x4ca2:$msg: Execute ERROR 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 12_pgr.exe PID: 6756	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.12_pgr.exe.ee0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
1.0.12_pgr.exe.ee0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.0.12_pgr.exe.ee0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
1.0.12_pgr.exe.ee0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
1.2.12_pgr.exe.ee0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
1.2.12_pgr.exe.ee0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.2.12_pgr.exe.ee0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
1.2.12_pgr.exe.ee0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 12_pgr.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Avira: detection malicious, Label: TR/Dropper.Gen7

Found malware configuration

Show sources

Source: 1.0.12_pgr.exe.ee0000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara detected Njrat

Show sources

Source: Yara match	File source: 12_pgr.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 12_pgr.exe

Joe Sandbox ML: detected

Source: 1.0.12_pgr.exe.ee0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 1.2.12_pgr.exe.ee0000.0.unpack	Avira: Label: TR/Dropper.Gen7

Source: 12_pgr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\12_pgr.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 12_pgr.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49734 -> 185.140.53.71:3429

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 185.140.53.71

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 185.140.53.71:3429

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 12_pgr.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 1.0.12_pgr.exe.ee0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 1.2.12_pgr.exe.ee0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud:

Yara detected Njrat

Show sources

Source: Yara match	File source: 12_pgr.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12_pgr.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12_pgr.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12_pgr.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: 12_pgr.exe, 00000001.00000002.920058520.0000000005EB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 12_pgr.exe
Source: 12_pgr.exe, 00000001.00000002.920027771.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs 12_pgr.exe

Source: 12_pgr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12_pgr.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12_pgr.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12_pgr.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@4/3@0/1

Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_057E282E AdjustTokenPrivileges,		1_2_057E282E
Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_057E27F7 AdjustTokenPrivileges,		1_2_057E27F7

Source: C:\Users\user\Desktop\12_pgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
Source: C:\Users\user\Desktop\12_pgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\79c06ef4ef423d882819c4e66285ec85
Source: C:\Users\user\Desktop\12_pgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 12_pgr.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\12_pgr.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe

File read: C:\Users\user\Desktop\12_pgr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\12_pgr.exe 'C:\Users\user\Desktop\12_pgr.exe'
Source: C:\Users\user\Desktop\12_pgr.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\12_pgr.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 12_pgr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\12_pgr.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 12_pgr.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 12_pgr.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_00EE5021 push cs; ret	1_2_00EE5022
Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_05C30773 push es; ret	1_2_05C30776
Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_05C31F74 push ds; ret	1_2_05C31F7A
Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_05C30778 push es; ret	1_2_05C3077A
Source: C:\Users\user\Desktop\12_pgr.exe	Code function: 1_2_05C30F7F push cs; ret	1_2_05C30F82

Source: C:\Users\user\Desktop\12_pgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\12_pgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Jump to dropped file

Source: C:\Users\user\Desktop\12_pgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe			Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\12_pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe

Window / User API: threadDelayed 6654

Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe TID: 7104

Thread sleep count: 6654 > 30

Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\12_pgr.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\12_pgr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 12_pgr.exe, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 12_pgr.exe, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.0.12_pgr.exe.ee0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.12_pgr.exe.ee0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Source: 12_pgr.exe, 00000001.00000002.918571397.00000000012FA000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: 12_pgr.exe, 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9
Source: 12_pgr.exe, 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\user\Desktop\12_pgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\12_pgr.exe

Code function: 1_2_057E0776 GetUserNameW,

1_2_057E0776

Source: C:\Users\user\Desktop\12_pgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\12_pgr.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Users\user\Desktop\12_pgr.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE

Stealing of Sensitive Information:

Yara detected Njrat

Show sources

Source: Yara match	File source: 12_pgr.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected njRat

Show sources

Source: 12_pgr.exe, OK.cs	.Net Code: njRat config detected
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.cs	.Net Code: njRat config detected
Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.cs	.Net Code: njRat config detected

Yara detected Njrat

Show sources

Source: Yara match	File source: 12_pgr.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Startup Items1	Startup Items1	Masquerading1	Input Capture1	Virtualization/Sandbox Evasion1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Non-Standard Port1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder12	Access Token Manipulation1	Virtualization/Sandbox Evasion1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection2	Disable or Modify Tools21	Security Account Manager	Application Window Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder12	Access Token Manipulation1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection2	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
12_pgr.exe	100%	Avira	TR/Dropper.Gen7
12_pgr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.12_pgr.exe.ee0000.0.unpack	100%	Avira	TR/Dropper.Gen7		Download File
1.2.12_pgr.exe.ee0000.0.unpack	100%	Avira	TR/Dropper.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
185.140.53.71	5%	Virustotal		Browse
185.140.53.71	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.140.53.71	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.71	unknown	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	399305
Start date:	28.04.2021
Start time:	16:31:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	12_pgr.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@4/3@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 78% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

Time	Type	Description
16:32:54	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.140.53.71	tmp2.exe	Get hash	malicious	Browse
185.140.53.71	tmp.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	PROFORMA INVOICE - 20 - 195.exe	Get hash	malicious	Browse	185.244.30.174
	s6q3QzFIOq.exe	Get hash	malicious	Browse	185.140.53.134
	doc07621220210416113300.exe	Get hash	malicious	Browse	185.140.53.230
	coYw2XDPaF.exe	Get hash	malicious	Browse	185.140.53.132
	Query_Ref_5787533_pdf.exe	Get hash	malicious	Browse	185.244.30.130
	Stub.jar	Get hash	malicious	Browse	185.140.53.157
	Stub.jar	Get hash	malicious	Browse	185.140.53.157
	nXa6P8N8MS.exe	Get hash	malicious	Browse	185.140.53.9
	PyHPFWvsNO.exe	Get hash	malicious	Browse	185.140.53.134
	HTzq6leC2g.exe	Get hash	malicious	Browse	185.140.53.137
	Order Q18DL-459R.doc__.rtf	Get hash	malicious	Browse	185.140.53.130
	clKy1KkGOa.exe	Get hash	malicious	Browse	185.140.53.139
	New_Quotation_Request.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	__RFQAP65425652032421_pdf.exe	Get hash	malicious	Browse	185.140.53.9
	QUOTATION_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	Urgence RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	185.140.53.9
	URGENTPURCHASEORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	TRACKING UPDATE.exe	Get hash	malicious	Browse	185.140.53.10
	NEW_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	samples ordered 024791.exe	Get hash	malicious	Browse	185.140.53.69

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Download File
Process:	C:\Users\user\Desktop\12_pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.525319833157279
Encrypted:	false
SSDEEP:	384:o8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZU4:uY+sNKqNHnSdRpcnuq
MD5:	A08F2FAC257ABBBDDDBBD4439F32CFD0
SHA1:	26D3ED4771B701A82F6AA32B747E27BB26E9864C
SHA-256:	BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
SHA-512:	3BEAD648A1AD82BD4E5599A55AE573B4CE6DC24EBDC3F0DAEC2C0A327CA1BF5E45A254E4F2480CEE0FEC0A4F83B15863679A63F7DCC0CE37D8F50E644BEFEF40
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`.................V...........t... ........@.. ....................................@.................................4t..W.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................pt......H.......,K...)....../....................................................0..........r...p.....r...p...........r%..p.....r;..p.....rE..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r+..p..............0..;.......~....o....o....r-..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r-..p~....(....o......(....o.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\12_pgr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.525319833157279
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	12_pgr.exe
File size:	24064
MD5:	a08f2fac257abbbdddbbd4439f32cfd0
SHA1:	26d3ed4771b701a82f6aa32b747e27bb26e9864c
SHA256:	bfd5d84c4fed8f9d23f94fe32bb7ee415dbe632c2ebaac642dbfdb73f89d0833
SHA512:	3bead648a1ad82bd4e5599a55ae573b4ce6dc24ebdc3f0daec2c0a327ca1bf5e45a254e4f2480cee0fec0a4f83b15863679a63f7dcc0ce37d8f50e644befef40
SSDEEP:	384:o8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZU4:uY+sNKqNHnSdRpcnuq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`.................V...........t... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40748e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6086053D [Mon Apr 26 00:11:41 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7434	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5494	0x5600	False	0.488599200581	data	5.5720041865	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x240	0x400	False	0.310546875	data	4.9660813397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x8058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/28/21-16:32:55.155448	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49734	3429	192.168.2.4	185.140.53.71

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 16:32:54.619741917 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:32:54.865974903 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:32:54.866131067 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:32:55.155447960 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:32:55.451925039 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:32:55.452029943 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:32:55.748419046 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:00.528876066 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:01.115314960 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:01.144789934 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:01.193471909 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:01.362715960 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:01.759037018 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:02.051156044 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:08.880624056 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:09.176733017 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:19.213098049 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:19.213903904 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:19.509521008 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:25.273648977 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:25.572099924 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:33.398293972 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:33.714406013 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:37.264590979 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:37.265167952 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:37.571408987 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:55.315387964 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:55.367955923 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:55.677125931 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:55.983496904 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:33:58.244343042 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:33:58.537512064 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:06.369776011 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:34:06.666910887 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:13.365400076 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:13.370018005 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:34:13.670826912 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:31.406919003 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:31.407501936 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:34:31.700289965 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:31.700442076 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:34:32.042958021 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:39.801275969 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:34:40.118402004 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:49.483689070 CEST	3429	49734	185.140.53.71	192.168.2.4
Apr 28, 2021 16:34:49.484671116 CEST	49734	3429	192.168.2.4	185.140.53.71
Apr 28, 2021 16:34:49.778197050 CEST	3429	49734	185.140.53.71	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 12_pgr.exe PID: 6756 Parent PID: 5868

General

Start time:	16:32:43
Start date:	28/04/2021
Path:	C:\Users\user\Desktop\12_pgr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\12_pgr.exe'
Imagebase:	0xee0000
File size:	24064 bytes
MD5 hash:	A08F2FAC257ABBBDDDBBD4439F32CFD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: netsh.exe PID: 7004 Parent PID: 6756

General

Start time:	16:32:51
Start date:	28/04/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE
Imagebase:	0x9f0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7040 Parent PID: 7004

General

Start time:	16:32:51
Start date:	28/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 12_pgr.exe PID: 6756 Parent PID: 5868 12_pgr.exeCOMMON

Executed Functions

Function 057E27F7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 057E2877

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 890416c208bd636284e1c7fbe684f35eb348b6e5ff6636c4affaec7349693060
Instruction ID: 855447120ec055b15ee5a8267c9704d12213f504876c6c23dfe1b6562955395d
Opcode Fuzzy Hash: 890416c208bd636284e1c7fbe684f35eb348b6e5ff6636c4affaec7349693060
Instruction Fuzzy Hash: 86219F755097849FEB228F25DC44B52BFF8FF06210F0884DAE9858F563D271D908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 057E282E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 057E2877

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 46e2a6184a381ebc7941cdc580c657df0abbbdb702a34c7460a9b7741da3cf0b
Instruction ID: caea9fbd1228fccf795b76284b611b0a26fefa32b242b29d69c326e8ee9d3ed0
Opcode Fuzzy Hash: 46e2a6184a381ebc7941cdc580c657df0abbbdb702a34c7460a9b7741da3cf0b
Instruction Fuzzy Hash: F5115E795003049FEB21CF5AD884B66FBE8FF08320F08C4AAED858B656D375E454DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E0776, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 057E07C6

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8954fbe716260c9a3b8ec81fadfb3f3f54cbf026b03473097e4889913349e87e
Instruction ID: f63a80acba44f19836d3737a1f8ec75c3186808f405ed690763e3b909e8b7436
Opcode Fuzzy Hash: 8954fbe716260c9a3b8ec81fadfb3f3f54cbf026b03473097e4889913349e87e
Instruction Fuzzy Hash: 1E01A271500601ABD214DF1ADC86B36FBE8FB89B20F14815AED085B741D231F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 017DA710, Relevance: 3.1, APIs: 2, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 017DA6B9
FindCloseChangeNotification.KERNELBASE(?), ref: 017DA780

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindMutexNotification
String ID:
API String ID: 2967213129-0
Opcode ID: 505c33d134ee90933f1561f0c1c92cae2fcff506e431ca2ac5fab74a684c31ba
Instruction ID: df7cd4f2548db33a5bc8f861fd7937de95970e60f75ab0e2f253d7f4b4972ed2
Opcode Fuzzy Hash: 505c33d134ee90933f1561f0c1c92cae2fcff506e431ca2ac5fab74a684c31ba
Instruction Fuzzy Hash: A931D0B14053849FE712CB19E985792BFB4EF02224F0980ABDD858F253D3359809CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 056912E8, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0569130F

Memory Dump Source

Source File: 00000001.00000002.919500107.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b943506d798f5e58ca472ba5e166728f22f56e2529c937a44b1a8ac375014c17
Instruction ID: 8a6b3a59ab6c9d778b8864fa70b899f56438dcbfd99afc1ceb9a37cb3609db86
Opcode Fuzzy Hash: b943506d798f5e58ca472ba5e166728f22f56e2529c937a44b1a8ac375014c17
Instruction Fuzzy Hash: CC416275A002058FCB18DF78D8885ADB7F6EF89314B248569D409DF359DB34DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 056912DB, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0569130F

Memory Dump Source

Source File: 00000001.00000002.919500107.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c935555c05542836588b62bc4fe942f6347ccfb21d9fa7ace476187fa5431302
Instruction ID: d24e49549106b5bedf9d66414aeab6f3ee607f6f74077db2a755c94a3629ac92
Opcode Fuzzy Hash: c935555c05542836588b62bc4fe942f6347ccfb21d9fa7ace476187fa5431302
Instruction Fuzzy Hash: 82414371A002058FCB18DF78C48856DBBF6EF89354B24856AD809EF359DB35DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 057E02AB, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 057E0372

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a4a4abeb67fda604bc3c09805f227f33fde5252135e87c31c4b0d94c85e328fc
Instruction ID: 9124171f4da30a83115ac2e3a3ef29c1441d2c9efb26ad17f59b190fb679a7c4
Opcode Fuzzy Hash: a4a4abeb67fda604bc3c09805f227f33fde5252135e87c31c4b0d94c85e328fc
Instruction Fuzzy Hash: E631A06540E3C06FD3138B258C65A62BFB4EF47610B0E85CBE8C48F5A3D125A91AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 057E2302, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 057E23C9

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f90afb056ec7ff02a13a25d417911895059968cad36e7412bf6fb3d6cf0f62b4
Instruction ID: f2a157901548e930482741eebb664999cf99cfb57b42b76b029c3b211af9165c
Opcode Fuzzy Hash: f90afb056ec7ff02a13a25d417911895059968cad36e7412bf6fb3d6cf0f62b4
Instruction Fuzzy Hash: 38318D72504744AFE722CF25CC84F67BFECEF09310F08899AE9859B152D324E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DA7C7, Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 017DA879

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 52a9c7a168756d3268e940da55fded47e0ee79223b348cc64d6eaf5c38a5f694
Instruction ID: 4eb1868d868f85e7e9217371353861c32a4e365434426a70ca58a191ae982698
Opcode Fuzzy Hash: 52a9c7a168756d3268e940da55fded47e0ee79223b348cc64d6eaf5c38a5f694
Instruction Fuzzy Hash: CC31B3B25487846FE7228B659C85FA7BFF8EF06310F08849AED809B153D224E50AC771

Uniqueness

Uniqueness Score: -1.00%

Function 017DA612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 017DA6B9

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1c86828c775d0f441b1a0d58ea45f517bc060d23d6030ce386aa36a233a33ba2
Instruction ID: f402ceccaae60f4040eb5003c396ce0a499eecebc3a7834c128c18cc4d5dd97b
Opcode Fuzzy Hash: 1c86828c775d0f441b1a0d58ea45f517bc060d23d6030ce386aa36a233a33ba2
Instruction Fuzzy Hash: 7231A1B1509780AFE722CB25CC85B56FFF8EF06310F09849AE9848B293D335E809C761

Uniqueness

Uniqueness Score: -1.00%

Function 057E0FD8, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E1075

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 62c70cbd3096a582dfc83097a6c2bba5f539f20e26b098b722e7ed40c473f3e6
Instruction ID: b4e5c61a4ef703aedb8f9ec9d2cbc53a7f5c671db0ec5211bcd5caba300044a2
Opcode Fuzzy Hash: 62c70cbd3096a582dfc83097a6c2bba5f539f20e26b098b722e7ed40c473f3e6
Instruction Fuzzy Hash: 1A31A5B2509380AFE7228F25DC45FA7BFB8EF46310F0884AAE985DB153D235D505CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E08D4, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 057E096B

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 385a9ebb683b2aefd648452dc05f6559ef2fd610d21bdfa0970b38edb454dfb6
Instruction ID: d89f061c6ac8b0435fc16c5f243a9e0f8e7603ad771c2f1c85ac863131395fd5
Opcode Fuzzy Hash: 385a9ebb683b2aefd648452dc05f6559ef2fd610d21bdfa0970b38edb454dfb6
Instruction Fuzzy Hash: 1B3193725043456FE722CF25DC89F67BFECEF05320F0884AAE984DB152D264E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E0B6C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 057E0C1E

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4586a0fe3488af83d0f775d525de57f2ab315ac03cf767d6ab1057f5636c904e
Instruction ID: 2cdc8cfc06e75b1e387277f5ee83149c99dcad9634f016fc126c7a17ca7a446d
Opcode Fuzzy Hash: 4586a0fe3488af83d0f775d525de57f2ab315ac03cf767d6ab1057f5636c904e
Instruction Fuzzy Hash: F931A4B2405780AFE722CF55DC85F96FFF8EF05320F08859AE9849B162D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DADF9, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 017DAE9D

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 300675df17d93bdabaacd8ac476c3d7a46f1363127a98fd3d312ba11b310e256
Instruction ID: 34ff180d702552303d8b48728b89c682ae1cf9c3f08a4bc7fddaa77a0f4c9ca4
Opcode Fuzzy Hash: 300675df17d93bdabaacd8ac476c3d7a46f1363127a98fd3d312ba11b310e256
Instruction Fuzzy Hash: EF317CB1504744AFE722CF25DC85F66FFE8EF09310F0884AAE9858B252D375E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DA8C1, Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E2C), ref: 017DA97D

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 03658218fd4b130707fe2d03c597342e189e6140e1bd0b51905b55500fb8a9e9
Instruction ID: 7dee9f9f34661cc9e50ebe44f38b804b93c94296e646204c4c0e24d9906e5cf8
Opcode Fuzzy Hash: 03658218fd4b130707fe2d03c597342e189e6140e1bd0b51905b55500fb8a9e9
Instruction Fuzzy Hash: AD31E371009784AFEB228F61DC45FA6FFB8EF06320F18849EE9858F153D275A409CB65

Uniqueness

Uniqueness Score: -1.00%

Function 057E232E, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 057E23C9

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 27480f1941e0360c60f574a0fb49b3d02024c926e5c050a5172a3e898e1c4e48
Instruction ID: a8ff30954965e78da10e3dbe0e141387226b042bd1da13f9d53dfce8dc29efc9
Opcode Fuzzy Hash: 27480f1941e0360c60f574a0fb49b3d02024c926e5c050a5172a3e898e1c4e48
Instruction Fuzzy Hash: 0521A076600704AFEB21CF19CC84F67FBECEF08710F04896AE945DA652D620E9058B71

Uniqueness

Uniqueness Score: -1.00%

Function 017DA361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DA40C

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b61aebf76cde062ac1870c9df92557568b0d71ff1335957f657cad9802a8221a
Instruction ID: be28a807afd0cb2b98afa15c41c0d7f8b2846164de433f7c96a046553f772d02
Opcode Fuzzy Hash: b61aebf76cde062ac1870c9df92557568b0d71ff1335957f657cad9802a8221a
Instruction Fuzzy Hash: 3D318EB1509784AFE722CF25CC84F52FFF8EF06710F08859AE9859B193D264E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DA120, Relevance: 1.6, APIs: 1, Instructions: 82networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 017DA1C2

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 1e6bd516efb164b750491d2f1c372963a3dabd3411969c84033e5dccb170c7e2
Instruction ID: 0c5e6b2239713e62d577e3d63119b5fd66537735e6546b7109534c7fef9751cd
Opcode Fuzzy Hash: 1e6bd516efb164b750491d2f1c372963a3dabd3411969c84033e5dccb170c7e2
Instruction Fuzzy Hash: 3321DE7140D3C06FD7138B368C51BA6BFB4EF47620F0981DBD8848F293D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 057E1358, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 057E13FE

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: cdfed1ffe321d877ddd38ee7582e4ed07a70cffe6f59d7dd8bb0c51ab67aeda6
Instruction ID: 1033b32a49b3ee867df2012f22de8104ce4d7a0bee50aaa17fb31bfdf9c2f390
Opcode Fuzzy Hash: cdfed1ffe321d877ddd38ee7582e4ed07a70cffe6f59d7dd8bb0c51ab67aeda6
Instruction Fuzzy Hash: 6331917150D3C16FD3138B258C55B62BFB8EF47610F0981DBE8848F5A3D225A949C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 057E25A1, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 057E2630

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 3f72356133072d1ccca62441098bb914e7d3e3e5375f3e0ae301b26682524286
Instruction ID: 7cb198741b7dffa946ff9d0282e653e333c089258ae5434d6e754ff2432f199e
Opcode Fuzzy Hash: 3f72356133072d1ccca62441098bb914e7d3e3e5375f3e0ae301b26682524286
Instruction Fuzzy Hash: 21215C755093849FD722CF25DC44A62BFF8FF0A214F0885DAE984CB563D264A808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E2979, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2A00

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 0597e21f223f6778957797ac6231d689e9baff3759eb37bdf079b183f13e34a4
Instruction ID: 40d2574f45167769c0343aeddaf5acf2f7902c78b31ba7b5f58034c4a9fd585f
Opcode Fuzzy Hash: 0597e21f223f6778957797ac6231d689e9baff3759eb37bdf079b183f13e34a4
Instruction Fuzzy Hash: 882174715093846FE712CF25DC45F96BFA8EF46310F1884EBE984DF193D264A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 057E0A8A, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 057E0B15

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 4f0dda4afe3388c292d55fff89c1c758319671cce1688eca6e936b50584111de
Instruction ID: 6f502aae9bdabfdd488a97d809736af8eaa8abe1c54263c22b25fe4cf4226dd9
Opcode Fuzzy Hash: 4f0dda4afe3388c292d55fff89c1c758319671cce1688eca6e936b50584111de
Instruction Fuzzy Hash: 282171B1509380AFE722CF25DC45F66FFE8EF05310F08849AE9858B252D375E944C765

Uniqueness

Uniqueness Score: -1.00%

Function 017DAEF4, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DAF89

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f1ec1c10a643ec11d5149776a7203eda6b9a5976ef15c2b72e7b03a0db07968d
Instruction ID: 1545923bba173e67ef9d73bb498a46e699c486052eb3f12b4d07ced3e45ad8d9
Opcode Fuzzy Hash: f1ec1c10a643ec11d5149776a7203eda6b9a5976ef15c2b72e7b03a0db07968d
Instruction Fuzzy Hash: E921D6B64087846FE713CB259C40BA2BFB8EF46720F1884DAE9849B153D224E905C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 017DA462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DA4F8

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 58e5b860ce157526f8c2721eee96ec18413e9ffe090bbce700d5b9abcfc284b4
Instruction ID: 491fff4c611b870a5ce7152a606034d3a069c8b94813cd5185b2e6ac8c5a731d
Opcode Fuzzy Hash: 58e5b860ce157526f8c2721eee96ec18413e9ffe090bbce700d5b9abcfc284b4
Instruction Fuzzy Hash: A52181B25043846FE7228F15DC45F67FFB8EF45610F08849AE985DB152C264E448C771

Uniqueness

Uniqueness Score: -1.00%

Function 057E039E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 057E042A

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 0e782d8f9a6079b3e75c1092f5c14bf21c4c1d3ec19d62d460b97b757aae1876
Instruction ID: 7129ad6bf2c3cec1874fccdc7c881e4e3efcd040c32aa14fc318649e53568e17
Opcode Fuzzy Hash: 0e782d8f9a6079b3e75c1092f5c14bf21c4c1d3ec19d62d460b97b757aae1876
Instruction Fuzzy Hash: C2219C71509780AFE7228F65DC48F66FFF8EF0A310F08849EE9858B252D275A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DAE1E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 017DAE9D

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3676687efa42840a35461e0c107a2d9db557e43b6704a8e34755509d208ba3e8
Instruction ID: 9d01b63b208969ba14366b3cca4be0078c19467cbb03e25d30ae1258f54ee987
Opcode Fuzzy Hash: 3676687efa42840a35461e0c107a2d9db557e43b6704a8e34755509d208ba3e8
Instruction Fuzzy Hash: C3217A71600744AFE721CF6ADD85B66FBE8FF08710F08886AE9858B652D375E508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 057E2670, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 057E26F6

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 540a12411f5a830cb4002a670886c08ae3d4deaf8c5748ccb1c8b5a1c8c54bf9
Instruction ID: 69acb22b6520b7c3ed77710b1a10211c01c2dd1a64f134322c49b5ea8075d96f
Opcode Fuzzy Hash: 540a12411f5a830cb4002a670886c08ae3d4deaf8c5748ccb1c8b5a1c8c54bf9
Instruction Fuzzy Hash: DE21A4B65093849FD712CF25DC54B52BFA8AF46224F1C84DAED89CF253D235D808D761

Uniqueness

Uniqueness Score: -1.00%

Function 057E08FA, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 057E096B

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 8dfd7c665745cbdf4667df0466a52fa48cadad083a58c0377193829c5ec97c53
Instruction ID: f1b71a0d6139efc7c82beafb3c573d1070167ad07bf533bbaf5c2aaa6c22458c
Opcode Fuzzy Hash: 8dfd7c665745cbdf4667df0466a52fa48cadad083a58c0377193829c5ec97c53
Instruction Fuzzy Hash: 8421A471600305AFEB20DF29DC89F6AFBACEF04720F04846AED45DB242D674E4058B71

Uniqueness

Uniqueness Score: -1.00%

Function 057E07EE, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E0880

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ff73bf1de37d0e291a44e591eb805398947978aee3d779f2de494adf1dc7d442
Instruction ID: 138622f104fc4315319e88d10cf9fcdbccb39666367ebeb3a58babf242ce1949
Opcode Fuzzy Hash: ff73bf1de37d0e291a44e591eb805398947978aee3d779f2de494adf1dc7d442
Instruction Fuzzy Hash: 2E219D72508344AFE722CF15DC44F67BFF8EF49610F08859AE9859B252D264E408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017DA7FA, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 017DA879

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c8c7fe22913822659224dc668dabfcae0a158fe757611ca275e36ec7c88a132b
Instruction ID: 911988174df4e66b822f368fc1ba4aa3ccbe6c09e6b088f729241b0fc2e52ff8
Opcode Fuzzy Hash: c8c7fe22913822659224dc668dabfcae0a158fe757611ca275e36ec7c88a132b
Instruction Fuzzy Hash: CF21A472540704AFE7229F59DC85F6BFBECFF04720F04885AED419B641D664E5058AB1

Uniqueness

Uniqueness Score: -1.00%

Function 057E2A63, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2ADF

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f01a13cb9e4e6aa8f6a460374ec294d13fc110f8bcfe55bf18d021d0f8446f20
Instruction ID: b86fb59c6f3791ffb8892a43335d2d2f168f6ea840d33249d897f588c6203b2b
Opcode Fuzzy Hash: f01a13cb9e4e6aa8f6a460374ec294d13fc110f8bcfe55bf18d021d0f8446f20
Instruction Fuzzy Hash: D92162B25093846FEB22CF25DC85F67BFA8EF45220F0884ABE9459B152D274E544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E2B47, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2BC3

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f01a13cb9e4e6aa8f6a460374ec294d13fc110f8bcfe55bf18d021d0f8446f20
Instruction ID: 29dd95c43df07e4f845ea3a807c937044b3544760e32313141c7f693debcaa73
Opcode Fuzzy Hash: f01a13cb9e4e6aa8f6a460374ec294d13fc110f8bcfe55bf18d021d0f8446f20
Instruction Fuzzy Hash: 972192B15093846FE722CF25DC45F67BFA8EF45220F0884ABE9449B152D274E504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DA646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 017DA6B9

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 373ab556c4ed59d53a37aa96e1d253f549c772cb7ab8cc1a7b534252a2fd371d
Instruction ID: 6593dd8ead911fb865ca323ecbb5eacdc45f363fcade9d31af7f438c7d804d08
Opcode Fuzzy Hash: 373ab556c4ed59d53a37aa96e1d253f549c772cb7ab8cc1a7b534252a2fd371d
Instruction Fuzzy Hash: CD21CFB1600344AFE721CF29CC85B66FBE8FF04320F0884AAED459B242E375E805CA75

Uniqueness

Uniqueness Score: -1.00%

Function 017DBE4E, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DBECD

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: c76e2fc634525dd366c0e494a2410d1a5fed98d27f4fab367fb923f70bd03554
Instruction ID: 6b20078d6a8bcb66f1cd64a31ffbd76de95cfa93a5e2912e70dfdba557b50509
Opcode Fuzzy Hash: c76e2fc634525dd366c0e494a2410d1a5fed98d27f4fab367fb923f70bd03554
Instruction Fuzzy Hash: 01219271409384AFDB22CF65DC44F57FFB8EF45310F08849AE9849B156D235A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 017DA392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DA40C

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 863a1834e923739ac6906318b1a5b44e4c994fe88e1f3647bf7d0aad3bb82324
Instruction ID: 670d34a15a07378e1bee5eb74b173a84e186b691fe57fb872fcc8453f1d1fc14
Opcode Fuzzy Hash: 863a1834e923739ac6906318b1a5b44e4c994fe88e1f3647bf7d0aad3bb82324
Instruction Fuzzy Hash: 5A218E71600308AFEB21CF19CC85F66FBECEF04720F08846AE9459B656D764E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 057E24DB, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2557

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: af824dda02232fe9de0b89d6f3c43425987d88191b2e7a51a541380c2036cdfa
Instruction ID: 5d5198b34e4adceaf0835e4353f38b22a9eae54361902638d9657ef583afa615
Opcode Fuzzy Hash: af824dda02232fe9de0b89d6f3c43425987d88191b2e7a51a541380c2036cdfa
Instruction Fuzzy Hash: 072181B1509384AFEB22CF25DD85F66BFA8EF45310F1884ABE9849B152C274A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E28C4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 057E2930

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 686b5aad1a08ce6b950ac735776330a14640d96083d786e045ce8a40ea97a86a
Instruction ID: 5db6bb4ecf3dc0d5f53f795088076fe2547425dfec2a3352d34d5bf84cf9322d
Opcode Fuzzy Hash: 686b5aad1a08ce6b950ac735776330a14640d96083d786e045ce8a40ea97a86a
Instruction Fuzzy Hash: BD21AE725093C05FDB128B25DC94A92BFA4AF07624F0984DAEC859F663D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 057E11B3, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 057E1232

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: dbe033929d831fb6b7c22626a8eb24449bb2921b35b72775c3115afd5075d5ea
Instruction ID: 9c1d588573261cbcc571b32f789164b300d051f60f0a1fff771d8633751f1e39
Opcode Fuzzy Hash: dbe033929d831fb6b7c22626a8eb24449bb2921b35b72775c3115afd5075d5ea
Instruction Fuzzy Hash: C621A1715093849FDB228F65DC84A92BFF4FF0A210F0984DAE9858F162D375A809DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E0AAA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 057E0B15

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a3b2c7e415fca63252a195a0e0020973f8d7cb6218126ced8b51b67b6484c833
Instruction ID: 1863c3e04d3ee2301d29b1f419173ae9c04601b9a602a9400520b879c5a74b25
Opcode Fuzzy Hash: a3b2c7e415fca63252a195a0e0020973f8d7cb6218126ced8b51b67b6484c833
Instruction Fuzzy Hash: 0121AEB1600340AFE721DF29DC89F66FBE8FF08724F14846AED458B645D2B5E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 057E03BE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 057E042A

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 8dba179f820af95791fdc65d163151b32c8e8ff2ecca2cbb7cc04c8881515b38
Instruction ID: 6d4f8449ad6afd475538943326f73c342343593de0a4ce4a036da52f52380fd1
Opcode Fuzzy Hash: 8dba179f820af95791fdc65d163151b32c8e8ff2ecca2cbb7cc04c8881515b38
Instruction Fuzzy Hash: 79219D71500740AFEB21CF65DD49F66FBE8FF09320F08886AE9858A652D3B5A414CB62

Uniqueness

Uniqueness Score: -1.00%

Function 057E0BAA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 057E0C1E

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b7c454854051aaf9d09528cd8cc18c3191920972ed98bea4310dc1170165c84b
Instruction ID: ea6fe669c12a5f9d2e752d5e359c9ce17561e723139ccbadf7290e80c6056958
Opcode Fuzzy Hash: b7c454854051aaf9d09528cd8cc18c3191920972ed98bea4310dc1170165c84b
Instruction Fuzzy Hash: 0B219D71500344AFE721CF5ADD89FA6FBE8EF08720F04845AE9899B651D2B5E508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017DA902, Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E2C), ref: 017DA97D

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 78cdd7c4900fa570244ff91bd7abfaca59f7fb4dcc99e6f4c3cf977c7f7a5e8b
Instruction ID: e4ac655be47ecacea452295f1decc677a9b0cffba65b992fb6773cb3f8d205a0
Opcode Fuzzy Hash: 78cdd7c4900fa570244ff91bd7abfaca59f7fb4dcc99e6f4c3cf977c7f7a5e8b
Instruction Fuzzy Hash: F6219D71500304AFEB328F65DC45F66FBA8EF04710F14886AEE855A656D275E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057E161A, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 057E16A3

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9e27640b496cfdb6d3e5e3ad948b94e3469a3782278f54975c5bbd7c4ade0c4f
Instruction ID: 05ccd2eba0405219d46c0f612667285328fa77e7cd6809a90fbd11c7d5e0e24d
Opcode Fuzzy Hash: 9e27640b496cfdb6d3e5e3ad948b94e3469a3782278f54975c5bbd7c4ade0c4f
Instruction Fuzzy Hash: 5F1106711043406FE721CF15DC85FA6FFA8EF46720F18809AFD845F192C274A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017DA486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DA4F8

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44c20c5c81340ffe2590fef2ce16d3cfa6f9e43443aa819fe153fc730008dae5
Instruction ID: 4cecf097ce6287c783bec42c0e2207b73081647d1b7b7149dcf7e1f8a4a1b133
Opcode Fuzzy Hash: 44c20c5c81340ffe2590fef2ce16d3cfa6f9e43443aa819fe153fc730008dae5
Instruction Fuzzy Hash: D51181B1600708AFEB218E19DC45F67FBACEF04720F14845AED459B656D764E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 057E080E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E0880

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b56ca955304bd9107d366f50f05655aca91185728390cb6fa541736edf366469
Instruction ID: 87a291047c030c4624f6ed2d5d5326506d1cd1ea3b374e3998e3345636592ec9
Opcode Fuzzy Hash: b56ca955304bd9107d366f50f05655aca91185728390cb6fa541736edf366469
Instruction Fuzzy Hash: DE11AF71600304AFEB21CE16DC88F67FBE8EF08720F08846AE9459B656D2B4E404CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 017DAD34, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 017DAD9E

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8d12878de0ed4d6ffed29aeddd88a431bba35aa34410345aa773026d1391fa0e
Instruction ID: 0dbe2415c7cb2efd0fdc4121c52e8f94f77c221ae4bb5a1b93e614eab855ca5a
Opcode Fuzzy Hash: 8d12878de0ed4d6ffed29aeddd88a431bba35aa34410345aa773026d1391fa0e
Instruction Fuzzy Hash: A4116D725053849FD722CF29DC85B97FFE8EF05210F0884AAED85CB656D234E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E1016, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E1075

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: a7d8bd4255c23f965a6accdee6896dbd3efe1a4b08fa30751911de4fa5318813
Instruction ID: dc60c3410aeb4461ebbb0403f9554f85ca1a2e2d9e5f1f177aeca9de8bc9c7f5
Opcode Fuzzy Hash: a7d8bd4255c23f965a6accdee6896dbd3efe1a4b08fa30751911de4fa5318813
Instruction Fuzzy Hash: 4F11E671600344AFEB22CF65DC45FAAFBA8EF08320F04846AED458B655D674E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057E2B6A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2BC3

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: d999d83e2ff97932e609369d9153196ff86db5900266cc3096093a27c701ba28
Instruction ID: b1e9b5d8c40d20b5b3d2db7e891d6f6e2b7ebbd2855a174c39b89f9d41fb6cfb
Opcode Fuzzy Hash: d999d83e2ff97932e609369d9153196ff86db5900266cc3096093a27c701ba28
Instruction Fuzzy Hash: 7C11C471500304AFEB21CF65DC85FAAFB9CEF08320F04846AED459B256D674E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 057E074A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 057E07C6

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4050aa70648ad6efd9cc7cbcf8c762c1e47d56f2c339e4dd4b4dc0cadbba92c8
Instruction ID: a13982b69459d692c7f94819f5c294b55402b82b99a2e88c7567d61da84260f7
Opcode Fuzzy Hash: 4050aa70648ad6efd9cc7cbcf8c762c1e47d56f2c339e4dd4b4dc0cadbba92c8
Instruction Fuzzy Hash: 8C11C8719053406FD3218B16DC41F36FFB8EFC6B20F05819AED449B652D225B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 057E2A86, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2ADF

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: d999d83e2ff97932e609369d9153196ff86db5900266cc3096093a27c701ba28
Instruction ID: a46be7c82de62df28cfdcb80a8d2a7ecf6227df188d316e1d9b12c3bae0b95a5
Opcode Fuzzy Hash: d999d83e2ff97932e609369d9153196ff86db5900266cc3096093a27c701ba28
Instruction Fuzzy Hash: 0811C471500344AFEB21CF65DC85F66FBACEF48320F04846AED459B646D674E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 017DB237, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DB2A2

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a7fe6ba01befad3be59e1367a868c6b2d2280f70da56e23b5da02856ecdc7d3
Instruction ID: 8897910074c5bfba56aa5b718f072b4f34a9fcafa3afedfe3ad8d50aecdf4f31
Opcode Fuzzy Hash: 5a7fe6ba01befad3be59e1367a868c6b2d2280f70da56e23b5da02856ecdc7d3
Instruction Fuzzy Hash: C9118172409384AFDB228F55DC44B62FFF4EF4A620F0884DAED858B563C275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057E29AA, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2A00

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4079429e4e848d31600a3424e95a76e390e9a4ff93188b9755f8b0e6f24299a0
Instruction ID: 7840039ac82a4e878e9d5a264a4e08f8739fa78827ad5ad4f399af15d69aa5d4
Opcode Fuzzy Hash: 4079429e4e848d31600a3424e95a76e390e9a4ff93188b9755f8b0e6f24299a0
Instruction Fuzzy Hash: 5611A3B5600304AFEB21CF29DC85BAABB9CEF44720F14846AED45DB256D674E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 017DBE6E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DBECD

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 73f29e30de25435d82d27fa469fd6762a5a5e113a792c7de013cbf493e748345
Instruction ID: dfe8b2864ed44d9315d1ac3d63967842ce16b6bc1be9594843a9f6bc0599ad28
Opcode Fuzzy Hash: 73f29e30de25435d82d27fa469fd6762a5a5e113a792c7de013cbf493e748345
Instruction Fuzzy Hash: FF11C471500304AFEB21CF59DC44F66FBA8EF44720F1488AAED459B556D275E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057E24FE, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 057E2557

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: c69ad1cddd9cae5ddfa75b4e2f7fad24f0c0e853b8905002a568bd1e8c43e426
Instruction ID: 0fb5c77311d3b2152979d31dc336921a4a0dc593361b894c9c4f8b24835d131d
Opcode Fuzzy Hash: c69ad1cddd9cae5ddfa75b4e2f7fad24f0c0e853b8905002a568bd1e8c43e426
Instruction Fuzzy Hash: 0E11E3B1500304AFEB21CF5ADD84F66FBADEF08320F1484AAED449B246D274E405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 017DABC1, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 017DAC20

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 891f6fd7543ba00f6db5f6074157fcd8a2dbcdf207df18e81d3c111a37c5b331
Instruction ID: f3d319c49d6a7a5bc9dc08c95f1b84d025be0920d41a50b10122a5747e0494c3
Opcode Fuzzy Hash: 891f6fd7543ba00f6db5f6074157fcd8a2dbcdf207df18e81d3c111a37c5b331
Instruction Fuzzy Hash: 7D1160714093C49FDB128B25DC44AA2BFB4EF46220F0884DBED888F153C275A548CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017DA2D2, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 017DA330

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: faddb6c536b7aa84a8843cbcb9b25f0326e684e9ddeca10a4b08b7eb4aec0b66
Instruction ID: 6b411bb2a7437111dddc78637391a33b27ca9e021f451f3e62d6880de5915eec
Opcode Fuzzy Hash: faddb6c536b7aa84a8843cbcb9b25f0326e684e9ddeca10a4b08b7eb4aec0b66
Instruction Fuzzy Hash: 57116D7140A3C46FDB238B259C54A62BFB4AF47624F0C84DBED848B263C265A908D762

Uniqueness

Uniqueness Score: -1.00%

Function 057E163A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 057E16A3

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1ab86264f3082cd8558cb9c4c4e8cc91386c357378e2331bfe44a4f56e77b636
Instruction ID: 53e826856dbbd6d1a093ee2e4fa257bb18d190cc29cfae8c3fd44575d788b164
Opcode Fuzzy Hash: 1ab86264f3082cd8558cb9c4c4e8cc91386c357378e2331bfe44a4f56e77b636
Instruction Fuzzy Hash: 8911E571500304AFE731DF16DC86FB6FB98EF09720F58849AED445E285D6B4A544CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 057E25DA, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 057E2630

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 1b62f8af5a031f5f2a2f51d5b770333bf4af38173670d8d8842eff4f69308c15
Instruction ID: 0bf92fd03fcc1ff6d3e55ba62a0431f89c63774b342298666c85c406a8c967d3
Opcode Fuzzy Hash: 1b62f8af5a031f5f2a2f51d5b770333bf4af38173670d8d8842eff4f69308c15
Instruction Fuzzy Hash: C21149756003048FD720CF59D884F66FBE8FB09610F0885AADD498BA16D374E808DA62

Uniqueness

Uniqueness Score: -1.00%

Function 017DA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 017DA0D5

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 882fbc2cfad2398d7b55ab836e80845254cb2fa5ab2c81d91e4c70b1e9406538
Instruction ID: 9b1711da8e7887c7cbd5baebd3d585873aebf4bcd539bd5f5bf554eb75d92d52
Opcode Fuzzy Hash: 882fbc2cfad2398d7b55ab836e80845254cb2fa5ab2c81d91e4c70b1e9406538
Instruction Fuzzy Hash: 11118F71409384AFDB22CF25DD44B52FFB4EF45224F0884AAED848F553C275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017DAD56, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 017DAD9E

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 48bd20a5e40054464fd90f96ccb0bda9b8263ab126bcf605a72ff5c834a447fa
Instruction ID: 897832fbffe5a77eda792f9d5e6e2304949d5876ecc4042b7d03249fe7387522
Opcode Fuzzy Hash: 48bd20a5e40054464fd90f96ccb0bda9b8263ab126bcf605a72ff5c834a447fa
Instruction Fuzzy Hash: F011A1716003048FEB21CF2AD885B56FBE8FF04621F08C4AADD49CB64AD234E444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 057E26AE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 057E26F6

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c5891e47d5b6e4b117ad9797061842749ed67ea7613569ac094600a509f691d5
Instruction ID: 614dee2928d7f101fc2061934e89b1a12a05c4935360977f3415fb6e66847128
Opcode Fuzzy Hash: c5891e47d5b6e4b117ad9797061842749ed67ea7613569ac094600a509f691d5
Instruction Fuzzy Hash: 9B11A1756043048FEB20CF2AD885B66FBD8EF08320F08C46ADD49CB646D274E404DA71

Uniqueness

Uniqueness Score: -1.00%

Function 017DAF36, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2DA43EDE,00000000,00000000,00000000,00000000), ref: 017DAF89

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3465b58e11027d30e507a8dca88749afb61941341718c20907c82010d5878d33
Instruction ID: 0301158e55cfc49411aa8a03bf78d08f6c9e54ed030f63468fca4d9ab748905f
Opcode Fuzzy Hash: 3465b58e11027d30e507a8dca88749afb61941341718c20907c82010d5878d33
Instruction Fuzzy Hash: 8D01F9B1500308AFE721CF19DD85F66FBA8EF44720F14C4D6ED459B286D678E404CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 057E11E6, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 057E1232

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 57eca45236d4fbc5d97398e69d3f855d706d1e0e75a471cd543c45de48f44b28
Instruction ID: d61e07f7cc8567b0c8e39ba86d0dfa7bfef890e941768e26e6b0efa737092494
Opcode Fuzzy Hash: 57eca45236d4fbc5d97398e69d3f855d706d1e0e75a471cd543c45de48f44b28
Instruction Fuzzy Hash: B01188316003049FDB20CF55DC85B62FBE8FF08320F0884AAED858B666D335E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 017DA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 017DA1C2

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: de2799d693e54b550b4a6546be06b778fbc2a0d17fcfce89cc2cbfcfca83c44c
Instruction ID: 38668f08f0d0f913949eddde8a1df0016cffa12515cd81b50b82be86d197e558
Opcode Fuzzy Hash: de2799d693e54b550b4a6546be06b778fbc2a0d17fcfce89cc2cbfcfca83c44c
Instruction Fuzzy Hash: 8801B171900600ABD710DF1ADC86B36FBA8FB88A20F14816AED089B641D231B915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 057E13AE, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 057E13FE

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: d3a6bdf1d653d00e256625a0a69c5d32669781c0d54b32224e296a458dfc0881
Instruction ID: b9474c6a82dd83771618ac24b1c98c31d3ffea4e99d7c0c0620ed0eaf0d58e95
Opcode Fuzzy Hash: d3a6bdf1d653d00e256625a0a69c5d32669781c0d54b32224e296a458dfc0881
Instruction Fuzzy Hash: C101B171900600ABD310DF1ADC86B36FBA8FB88B20F14812AED089B641D231B915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 017DB25E, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DB2A2

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 309ad6fd9a1013d3d120ea22a7f07161f342e207f2a5b265a1a57d89eeaf45fb
Instruction ID: 7a3eca417eb1d2986feadf5cf1e43a9aefad360075766ef3df8a00f4d54eac81
Opcode Fuzzy Hash: 309ad6fd9a1013d3d120ea22a7f07161f342e207f2a5b265a1a57d89eeaf45fb
Instruction Fuzzy Hash: DA018B324043449FDB218F95D844B56FFE0EF08720F0888AADD898B616D335E014CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017DA74E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 017DA780

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 94ea739d856c2c0035312a2a4fc81552d5559682abb0341b4bc94b91a27dc269
Instruction ID: 623631493093b3a80e4438ca537f3bebfd6420f1e42980b6044542021ee28a39
Opcode Fuzzy Hash: 94ea739d856c2c0035312a2a4fc81552d5559682abb0341b4bc94b91a27dc269
Instruction Fuzzy Hash: AD018F75A003448FDB118F6AE985766FBB4EF04630F08C4ABDD4A8F656D278E404CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 057E0322, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 057E0372

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0ccadbdd4a6651dbc9b2764449e324a436ecb4cce49b49f3be423bc5323d683a
Instruction ID: 716706d56ef5e967c08c037c0ecd2de17b2b81ff347094091ed6f62aa919dd26
Opcode Fuzzy Hash: 0ccadbdd4a6651dbc9b2764449e324a436ecb4cce49b49f3be423bc5323d683a
Instruction Fuzzy Hash: FE018F71500605ABD214DF1ADC86B26FBA8FB89B20F14811AED085B641D271B516CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 057E28FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 057E2930

Memory Dump Source

Source File: 00000001.00000002.919652643.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: aa73cced12ebd85e23fc1a34a0d323d318e865a620f9790e8324135c8c0eec1b
Instruction ID: 2739121d56da9ef00e89d990b2ee5fb8578ec5ca5ef2a3eb124893e761fabc7f
Opcode Fuzzy Hash: aa73cced12ebd85e23fc1a34a0d323d318e865a620f9790e8324135c8c0eec1b
Instruction Fuzzy Hash: A501D4759003008FD710CF1AE888B66FBD8EF04720F08C0AADC499F656D274E404CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 017DA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 017DA0D5

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 2ab2aef701cfa5217d383819c4640b51f1e44eee828894b5edee64d86c44a2e4
Instruction ID: 9e6218bc5ba2ded839630cc841bb1ae5a7652a9765e0276bc177d0f6fe57d686
Opcode Fuzzy Hash: 2ab2aef701cfa5217d383819c4640b51f1e44eee828894b5edee64d86c44a2e4
Instruction Fuzzy Hash: 12019E315003449FDB21CF5AD884B66FBB0FF04320F08C4AADD498B656D375A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 017DABEE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 017DAC20

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 2e1243136a0851a9761f219ab465b17e2a7299435c70619a71bb885044f9a783
Instruction ID: c52875aaf2440ffc5daed7235b69e6d006d7a737613ba0f8d27648803536051c
Opcode Fuzzy Hash: 2e1243136a0851a9761f219ab465b17e2a7299435c70619a71bb885044f9a783
Instruction Fuzzy Hash: 6801D1709043488FDB20CF1AD884766FBA4EF04330F08C4AADD488F60AD378A448CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 017DA2FE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 017DA330

Memory Dump Source

Source File: 00000001.00000002.918805616.00000000017DA000.00000040.00000001.sdmp, Offset: 017DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 764c9bb99ea0e9d9b27fc23f9064053188ed6026ab7d58b3d4c7acfa4d839012
Instruction ID: e82c4cd68b6006e084ae8e269f307dccac324dfa6c0375c67eb17acbdadf43d7
Opcode Fuzzy Hash: 764c9bb99ea0e9d9b27fc23f9064053188ed6026ab7d58b3d4c7acfa4d839012
Instruction Fuzzy Hash: 21F0AF35904348DFDB208F0AD889766FFA0EF04720F08C49ADD494F656E6B9A408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05C3210B, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919879020.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3fdb53893da15867339de71fb0bad40fc4c406ffbda4079fb77ce8029ec75b
Instruction ID: 29105aa8827c6b9b92c2a177a3f01a6237d32335967973c0942178247011288c
Opcode Fuzzy Hash: 0a3fdb53893da15867339de71fb0bad40fc4c406ffbda4079fb77ce8029ec75b
Instruction Fuzzy Hash: 483141B5508341AFD300CF19DC41A5BFBE4FB89660F14896EF889D7311D231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 018807CE, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918908936.0000000001880000.00000040.00000040.sdmp, Offset: 01880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fb638a26496e799e1ad267b1f989165db5ad799ed7f54dc598d56d37a63983
Instruction ID: 60184263deefff59acbd8534d5093277c83f9e25c39e596b13b28094ead80773
Opcode Fuzzy Hash: b5fb638a26496e799e1ad267b1f989165db5ad799ed7f54dc598d56d37a63983
Instruction Fuzzy Hash: 38213E3550D3C18FC7178B24C850B54BF61AB47318F1986EED4848B6A3C73A894ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 01880804, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918908936.0000000001880000.00000040.00000040.sdmp, Offset: 01880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2af6e0ed70c4452180440cb0a776d02f7bd90d98effd920dcaaa19b63baa67
Instruction ID: 151bb310739283a7e979e74d12bbb001fccbc9e4407d5e9716455852a18a73d1
Opcode Fuzzy Hash: fe2af6e0ed70c4452180440cb0a776d02f7bd90d98effd920dcaaa19b63baa67
Instruction Fuzzy Hash: 2F11B431214344DFD725DB18C944B25BB95AB48708F24C9ACF9498B743C77BD947CA91

Uniqueness

Uniqueness Score: -1.00%

Function 05C32038, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919879020.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28129b7e5def17446d85b5f005723eed57b54eb837b5fbd3e6330110aded7b33
Instruction ID: e770999b64a7841eb2cb122dbc2765f9bfb18de0606d74172996736b54b96476
Opcode Fuzzy Hash: 28129b7e5def17446d85b5f005723eed57b54eb837b5fbd3e6330110aded7b33
Instruction Fuzzy Hash: EA11ECB5608305AFD350CF09D881E57FBE8EB88660F14891EFD9997311D231E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 017EB2E8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918825574.00000000017EA000.00000040.00000001.sdmp, Offset: 017EA000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a429499fb2ac412ca9df2bdc14c303b1eef23d7d873d1e870fab07e8e95a7f
Instruction ID: d065f1f4212ccc059d37d54db911d662b48fcb4aaee64bfd115745edb0061e85
Opcode Fuzzy Hash: 86a429499fb2ac412ca9df2bdc14c303b1eef23d7d873d1e870fab07e8e95a7f
Instruction Fuzzy Hash: 0D11ECB5608305AFD350CF09D881E5BFBE8EB88660F14891EFD9997311D231E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 018805D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918908936.0000000001880000.00000040.00000040.sdmp, Offset: 01880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b4b1695a907d1ad0614140f3d73584921d8c2a22c3fcda40322954f6bae4e5
Instruction ID: af65c5e6e3aac0910495883a60d4059e85e779d340342dfa8291c1bb2c1c6cfc
Opcode Fuzzy Hash: a5b4b1695a907d1ad0614140f3d73584921d8c2a22c3fcda40322954f6bae4e5
Instruction Fuzzy Hash: F401DB7250D7846FD7128B16DC41863FFE8DF86520718C09FEC49CB612D225B909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 018808C0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918908936.0000000001880000.00000040.00000040.sdmp, Offset: 01880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 8dc3a9b34679173f311492aecd7ae2f0d97c116fcef7a89705bdef2a15839979
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 61F06935208644DFC302DF04C940B25FBA2EB89718F24C6ADE9484B762C33BE913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 018805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918908936.0000000001880000.00000040.00000040.sdmp, Offset: 01880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd05e246074cdd4962bd95bb703d122c6d2e92ccb7fbfccfffc74a772de959ba
Instruction ID: 872066ad31fd9938a818e10983efdff555ceea23fc27c9ea76f54cd703fadc33
Opcode Fuzzy Hash: cd05e246074cdd4962bd95bb703d122c6d2e92ccb7fbfccfffc74a772de959ba
Instruction Fuzzy Hash: 0BE06D76A406045BD650CF0AEC81862FBD8EB84630718C06BDC0D8B715E535B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C321FF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919879020.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3ca057eb0063265476d755f8f3b405d86dc042a4899862e9c30edf73661dda
Instruction ID: 635cc83f58bbf1d63a55b8bc3374986e870f2e6f3a5e32a73063124b82b2774f
Opcode Fuzzy Hash: 7e3ca057eb0063265476d755f8f3b405d86dc042a4899862e9c30edf73661dda
Instruction Fuzzy Hash: 8EE0D8B2A4130467D3108F06AC86F63FB9CEB84A30F04C467ED081B706E071B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 05C32087, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919879020.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09a928896d40624590209d6901ea41f13e475a6eca8b8e4dca014641c7fd553
Instruction ID: d45f0fcaee77bf7aa5337afdb7ed28fbd1e12e2fef56bcc07b2c90d67e0f6d22
Opcode Fuzzy Hash: e09a928896d40624590209d6901ea41f13e475a6eca8b8e4dca014641c7fd553
Instruction Fuzzy Hash: 5CE0D872A4130467D2509F06AC86F63FB98EB40A30F04C557ED091B706E172B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31AAB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919879020.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7659a481715eedfb8d3635c30bb059f86490c66b5cc06c8666dfe9184d48903e
Instruction ID: fd6b1f03d7421a08603ba75da523a3963f11d24bfd8df217e0c1136949119c4c
Opcode Fuzzy Hash: 7659a481715eedfb8d3635c30bb059f86490c66b5cc06c8666dfe9184d48903e
Instruction Fuzzy Hash: 39E0D872A4120467D2109F06AC86F63FB98EB80A30F04C457ED095B706E172B514CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 017EB337, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918825574.00000000017EA000.00000040.00000001.sdmp, Offset: 017EA000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392475b1192ff8f49c40c3fd7d98fbeeefed049dcf20eb52b6a49a5c9dd64c06
Instruction ID: fddac715da43d922e41c0d4259e88c65290be5346ad52f1d70834176f8ecfc6b
Opcode Fuzzy Hash: 392475b1192ff8f49c40c3fd7d98fbeeefed049dcf20eb52b6a49a5c9dd64c06
Instruction Fuzzy Hash: FAE0D872A4130467D2108E06EC86F63FB98EB40A30F04C557ED091B706E171B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 017D23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918799039.00000000017D2000.00000040.00000001.sdmp, Offset: 017D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fadd42dfdf943b259cc9f0f316a63803337170858cff88fef609e73dc3e43f
Instruction ID: 181716c8b7713acdd8f2ef7eebe60109302a6019f8e2713d643f76f8f5d9a0ff
Opcode Fuzzy Hash: 69fadd42dfdf943b259cc9f0f316a63803337170858cff88fef609e73dc3e43f
Instruction Fuzzy Hash: 4FD05E79305A914FE3278A1CC1A8B957FF4AB51B04F5644F9EC008B667C369DA82D210

Uniqueness

Uniqueness Score: -1.00%

Function 017D23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.918799039.00000000017D2000.00000040.00000001.sdmp, Offset: 017D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92cab8dbe39d2b2deea8c14b9e235bda08b98f8ffddb4023f9f64f4345c364e
Instruction ID: 57c0bd8e169ce49f9fa90db8cb86e293a455932305986ec03e323213fd1390ce
Opcode Fuzzy Hash: e92cab8dbe39d2b2deea8c14b9e235bda08b98f8ffddb4023f9f64f4345c364e
Instruction Fuzzy Hash: 7ED05E342002854BD715DB0CC194F597BE4AB81B00F0A44E8AD008B266CBA4D882C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 12_pgr.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Njrat

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Code Manipulations