Loading ...

Play interactive tourEdit tour

Analysis Report 12_pgr.exe

Overview

General Information

Sample Name:12_pgr.exe
Analysis ID:399305
MD5:a08f2fac257abbbdddbbd4439f32cfd0
SHA1:26d3ed4771b701a82f6aa32b747e27bb26e9864c
SHA256:bfd5d84c4fed8f9d23f94fe32bb7ee415dbe632c2ebaac642dbfdb73f89d0833
Tags:exe
Infos:

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected njRat
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 12_pgr.exe (PID: 6756 cmdline: 'C:\Users\user\Desktop\12_pgr.exe' MD5: A08F2FAC257ABBBDDDBBD4439F32CFD0)
    • netsh.exe (PID: 7004 cmdline: netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
12_pgr.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4e88:$s3: Executed As
  • 0x4e6a:$s6: Download ERROR
12_pgr.exeJoeSecurity_NjratYara detected NjratJoe Security
    12_pgr.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4d9e:$a1: netsh firewall add allowedprogram
    • 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
    • 0x5018:$b1: [TAP]
    • 0x4d30:$c3: cmd.exe /c ping
    12_pgr.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e46:$msg: Execute ERROR
    • 0x4ea2:$msg: Execute ERROR
    • 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4e88:$s3: Executed As
    • 0x4e6a:$s6: Download ERROR
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4d9e:$a1: netsh firewall add allowedprogram
      • 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
      • 0x5018:$b1: [TAP]
      • 0x4d30:$c3: cmd.exe /c ping
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
      • 0x4e46:$msg: Execute ERROR
      • 0x4ea2:$msg: Execute ERROR
      • 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x4b9e:$a1: netsh firewall add allowedprogram
        • 0x4b6e:$a2: SEE_MASK_NOZONECHECKS
        • 0x4e18:$b1: [TAP]
        • 0x4b30:$c3: cmd.exe /c ping
        00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x4b6e:$reg: SEE_MASK_NOZONECHECKS
        • 0x4c46:$msg: Execute ERROR
        • 0x4ca2:$msg: Execute ERROR
        • 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
        00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x4b9e:$a1: netsh firewall add allowedprogram
          • 0x4b6e:$a2: SEE_MASK_NOZONECHECKS
          • 0x4e18:$b1: [TAP]
          • 0x4b30:$c3: cmd.exe /c ping
          Click to see the 3 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.12_pgr.exe.ee0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
          • 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
          • 0x4e88:$s3: Executed As
          • 0x4e6a:$s6: Download ERROR
          1.0.12_pgr.exe.ee0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            1.0.12_pgr.exe.ee0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4d9e:$a1: netsh firewall add allowedprogram
            • 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
            • 0x5018:$b1: [TAP]
            • 0x4d30:$c3: cmd.exe /c ping
            1.0.12_pgr.exe.ee0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
            • 0x4e46:$msg: Execute ERROR
            • 0x4ea2:$msg: Execute ERROR
            • 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
            1.2.12_pgr.exe.ee0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x4e88:$s3: Executed As
            • 0x4e6a:$s6: Download ERROR
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 12_pgr.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Found malware configurationShow sources
            Source: 1.0.12_pgr.exe.ee0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}
            Yara detected NjratShow sources
            Source: Yara matchFile source: 12_pgr.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
            Source: Yara matchFile source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: 12_pgr.exeJoe Sandbox ML: detected
            Source: 1.0.12_pgr.exe.ee0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 1.2.12_pgr.exe.ee0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 12_pgr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\12_pgr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: 12_pgr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49734 -> 185.140.53.71:3429
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: 185.140.53.71
            Source: global trafficTCP traffic: 192.168.2.4:49734 -> 185.140.53.71:3429
            Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71
            Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.71

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 12_pgr.exe, kl.cs.Net Code: VKCodeToUnicode
            Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode

            E-Banking Fraud:

            barindex
            Yara detected NjratShow sources
            Source: Yara matchFile source: 12_pgr.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
            Source: Yara matchFile source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 12_pgr.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 12_pgr.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 12_pgr.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 12_pgr.exe, 00000001.00000002.920058520.0000000005EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 12_pgr.exe
            Source: 12_pgr.exe, 00000001.00000002.920027771.0000000005E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs 12_pgr.exe
            Source: 12_pgr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 12_pgr.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12_pgr.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 12_pgr.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@4/3@0/1
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_057E282E AdjustTokenPrivileges,1_2_057E282E
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_057E27F7 AdjustTokenPrivileges,1_2_057E27F7
            Source: C:\Users\user\Desktop\12_pgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
            Source: C:\Users\user\Desktop\12_pgr.exeMutant created: \Sessions\1\BaseNamedObjects\79c06ef4ef423d882819c4e66285ec85
            Source: C:\Users\user\Desktop\12_pgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: 12_pgr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\12_pgr.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeFile read: C:\Users\user\Desktop\12_pgr.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\12_pgr.exe 'C:\Users\user\Desktop\12_pgr.exe'
            Source: C:\Users\user\Desktop\12_pgr.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12_pgr.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLEJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 12_pgr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\12_pgr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: 12_pgr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 12_pgr.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_00EE5021 push cs; ret 1_2_00EE5022
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_05C30773 push es; ret 1_2_05C30776
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_05C31F74 push ds; ret 1_2_05C31F7A
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_05C30778 push es; ret 1_2_05C3077A
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_05C30F7F push cs; ret 1_2_05C30F82
            Source: C:\Users\user\Desktop\12_pgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the startup folderShow sources
            Source: C:\Users\user\Desktop\12_pgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJump to dropped file
            Source: C:\Users\user\Desktop\12_pgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeWindow / User API: threadDelayed 6654Jump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exe TID: 7104Thread sleep count: 6654 > 30Jump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\12_pgr.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\12_pgr.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 12_pgr.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 12_pgr.exe, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 1.0.12_pgr.exe.ee0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 1.2.12_pgr.exe.ee0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 12_pgr.exe, 00000001.00000002.918571397.00000000012FA000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: 12_pgr.exe, 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
            Source: 12_pgr.exe, 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmpBinary or memory string: Program Manager<
            Source: C:\Users\user\Desktop\12_pgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\12_pgr.exeCode function: 1_2_057E0776 GetUserNameW,1_2_057E0776
            Source: C:\Users\user\Desktop\12_pgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Modifies the windows firewallShow sources
            Source: C:\Users\user\Desktop\12_pgr.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE
            Uses netsh to modify the Windows network and firewall settingsShow sources
            Source: C:\Users\user\Desktop\12_pgr.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE

            Stealing of Sensitive Information: