Analysis Report XQehPgTn35.exe

Overview

General Information

Sample Name:	XQehPgTn35.exe
Analysis ID:	433012
MD5:	595c00bf9ca4baa42b4490f2782cf2d3
SHA1:	d1441cc336655f36efc3db070f84701a1f68e51a
SHA256:	6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
Tags:	exenjratRAT
Infos:
Most interesting Screenshot:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Njrat

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to spread to USB devices (.Net source)

Creates autorun.inf (USB autostart)

Disables the Windows task manager (taskmgr)

Drops PE files to the document folder of the user

Drops PE files to the startup folder

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

PE file has nameless sections

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Netsh Port or Application Allowed

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: XQehPgTn35.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Windows\server.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\system 32.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Umbrella.flv.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\Program Files (x86)\Google.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047
Source: C:\SublimeText.exe	Avira: detection malicious, Label: HEUR/AGEN.1128047

Found malware configuration

Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "714bcaf02dc680243f761ccdcdc54f71", "Install Dir": "system 32", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "[i]", "Port": "MTU0MDkg", "Network Seprator": "714bcaf02dc680243f761ccdcdc54f71", "Mutex Name": "False", "BSOD Active": "MTU0MDkg", "Pastebin Link": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"}

Multi AV Scanner detection for domain / URL

Source: 4.tcp.ngrok.io

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Program Files (x86)\Google.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Program Files (x86)\Google.exe	ReversingLabs: Detection: 61%
Source: C:\SublimeText.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\SublimeText.exe	ReversingLabs: Detection: 61%
Source: C:\Umbrella.flv.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Umbrella.flv.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Google.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Google.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	ReversingLabs: Detection: 61%

Multi AV Scanner detection for submitted file

Source: XQehPgTn35.exe	Virustotal: Detection: 44%	Perma Link
Source: XQehPgTn35.exe	Metadefender: Detection: 42%	Perma Link
Source: XQehPgTn35.exe	ReversingLabs: Detection: 61%

Yara detected Njrat

Source: Yara match	File source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
Source: Yara match	File source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
Source: Yara match	File source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Windows\server.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\system 32.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Umbrella.flv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google.exe	Joe Sandbox ML: detected
Source: C:\SublimeText.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: XQehPgTn35.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.XQehPgTn35.exe.afc000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 14.2.Google.exe.132c000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 14.2.Google.exe.1310000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.Microsoft Corporation.exe.dbc000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Unpacked PE file: 0.2.XQehPgTn35.exe.ae0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Unpacked PE file: 11.2.Microsoft Corporation.exe.da0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Unpacked PE file: 14.2.Google.exe.1310000.0.unpack

Uses 32bit PE files

Source: XQehPgTn35.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\XQehPgTn35.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, Usb1.cs	.Net Code: infect
Source: 14.2.Google.exe.1310000.0.unpack, Usb1.cs	.Net Code: infect

Source: XQehPgTn35.exe	Binary or memory string: [autorun]
Source: XQehPgTn35.exe	Binary or memory string: \autorun.inf
Source: XQehPgTn35.exe	Binary or memory string: autorun.inf
Source: Microsoft Corporation.exe	Binary or memory string: autorun.inf
Source: Microsoft Corporation.exe	Binary or memory string: \autorun.inf
Source: Microsoft Corporation.exe	Binary or memory string: [autorun]
Source: Google.exe	Binary or memory string: [autorun]
Source: Google.exe	Binary or memory string: \autorun.inf
Source: Google.exe	Binary or memory string: autorun.inf
Source: autorun.inf.2.dr	Binary or memory string: [autorun]

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49727 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49729 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49730 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49731 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49732 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49733 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49734 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49735 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49736 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49737 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49738 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49739 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49740 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49741 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49742 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49743 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49744 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49745 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49746 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49747 -> 3.129.187.220:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49748 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49749 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49750 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49751 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49752 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49753 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49754 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49755 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49756 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49757 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49758 -> 3.136.65.236:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49759 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49760 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49761 -> 3.138.180.119:15409
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49762 -> 3.138.180.119:15409

Source: global traffic	TCP traffic: 3.136.65.236 ports 0,1,15409,4,5,9
Source: global traffic	TCP traffic: 3.129.187.220 ports 0,1,15409,4,5,9
Source: global traffic	TCP traffic: 3.138.180.119 ports 0,1,15409,4,5,9

Source: global traffic	TCP traffic: 192.168.2.3:49727 -> 3.138.180.119:15409
Source: global traffic	TCP traffic: 192.168.2.3:49730 -> 3.129.187.220:15409
Source: global traffic	TCP traffic: 192.168.2.3:49748 -> 3.136.65.236:15409

Source: Joe Sandbox View	IP Address: 3.129.187.220 3.129.187.220
Source: Joe Sandbox View	IP Address: 3.138.180.119 3.138.180.119
Source: Joe Sandbox View	IP Address: 3.136.65.236 3.136.65.236

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: Google.exe, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: XQehPgTn35.exe, 00000000.00000002.201116536.0000000000AFC000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.254136129.0000000000DBC000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\server.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: XQehPgTn35.exe	Static PE information: section name:
Source: XQehPgTn35.exe	Static PE information: section name:
Source: XQehPgTn35.exe	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: Google.exe.2.dr	Static PE information: section name:
Source: Google.exe.2.dr	Static PE information: section name:
Source: Google.exe.2.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.2.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.2.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.2.dr	Static PE information: section name:
Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.dr	Static PE information: section name:
Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.dr	Static PE information: section name:
Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00AE2050	0_2_00AE2050
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594298	0_2_03594298
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03595459	0_2_03595459
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594B5B	0_2_03594B5B
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_0359505D	0_2_0359505D
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594544	0_2_03594544
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_0359536F	0_2_0359536F
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_0359470F	0_2_0359470F
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03595000	0_2_03595000
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594630	0_2_03594630
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594936	0_2_03594936
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594F2F	0_2_03594F2F
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_035947D4	0_2_035947D4
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_035949F9	0_2_035949F9
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_035944F1	0_2_035944F1
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_035950E3	0_2_035950E3
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_0359499D	0_2_0359499D
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594F9D	0_2_03594F9D
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594C8F	0_2_03594C8F
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_03594287	0_2_03594287
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 11_2_00DA2050	11_2_00DA2050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Code function: 14_2_01312050	14_2_01312050

Source: XQehPgTn35.exe, 00000000.00000002.204876570.0000000006500000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs XQehPgTn35.exe
Source: XQehPgTn35.exe, 00000000.00000002.204876570.0000000006500000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs XQehPgTn35.exe
Source: XQehPgTn35.exe, 00000000.00000002.204526243.0000000006400000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs XQehPgTn35.exe

Source: XQehPgTn35.exe, type: SAMPLE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\SublimeText.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\system 32.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Program Files (x86)\Google.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.server.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.0.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 14.0.Google.exe.1310000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: XQehPgTn35.exe	Static PE information: Section: ZLIB complexity 0.989884561567
Source: XQehPgTn35.exe	Static PE information: Section: .data ZLIB complexity 0.997420238423
Source: server.exe.0.dr	Static PE information: Section: ZLIB complexity 0.989884561567
Source: server.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.997420238423
Source: Google.exe.2.dr	Static PE information: Section: ZLIB complexity 0.989884561567
Source: Google.exe.2.dr	Static PE information: Section: .data ZLIB complexity 0.997420238423
Source: Microsoft Corporation.exe.2.dr	Static PE information: Section: ZLIB complexity 0.989884561567
Source: Microsoft Corporation.exe.2.dr	Static PE information: Section: .data ZLIB complexity 0.997420238423
Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.dr	Static PE information: Section: ZLIB complexity 0.989884561567
Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.dr	Static PE information: Section: .data ZLIB complexity 0.997420238423

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
Source: C:\Windows\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\714bcaf02dc680243f761ccdcdc54f71
Source: C:\Windows\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_01

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\server.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\server.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\server.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\server.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Analysis Report XQehPgTn35.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: unknown	Process created: C:\Users\user\Desktop\XQehPgTn35.exe 'C:\Users\user\Desktop\XQehPgTn35.exe'
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Process created: C:\Windows\server.exe 'C:\Windows\server.exe'
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram 'C:\Windows\server.exe'
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe'
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Process created: C:\Windows\server.exe 'C:\Windows\server.exe'	Jump to behavior
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE	Jump to behavior
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram 'C:\Windows\server.exe'	Jump to behavior
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE	Jump to behavior

Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, Stub/Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, Stub/Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.Google.exe.1310000.0.unpack, Stub/Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B09089 push ss; ret	0_2_00B0908A
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B09075 push ss; ret	0_2_00B09076
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B091FF push ss; ret	0_2_00B09207
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B18104 push ecx; mov dword ptr [esp], edx	0_2_00B18109
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C2A8 push es; ret	0_2_00B0C2CE
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B153A0 push 00B15400h; ret	0_2_00B153F8
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C394 push es; ret	0_2_00B0C3A6
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C3F4 push es; ret	0_2_00B0C442
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B043EA push 00B04418h; ret	0_2_00B04410
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B093D9 push ss; ret	0_2_00B093DA
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B1832C push ecx; mov dword ptr [esp], edx	0_2_00B18331
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B09311 push ss; ret	0_2_00B09312
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C355 push es; ret	0_2_00B0C366
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B04494 push 00B044C0h; ret	0_2_00B044B8
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B1549B push ss; ret	0_2_00B154A2
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B15484 push ss; ret	0_2_00B15492
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B1848C push ecx; mov dword ptr [esp], edx	0_2_00B18491
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B044F8 push 00B0452Ch; ret	0_2_00B04524
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C4E4 push es; ret	0_2_00B0C4EA
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B04424 push 00B04450h; ret	0_2_00B04448
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B09453 push ss; ret	0_2_00B09454
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B16454 push 00B164A1h; ret	0_2_00B16499
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0445C push 00B04488h; ret	0_2_00B04480
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0945F push ss; ret	0_2_00B09460
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C448 push es; ret	0_2_00B0C4A2
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B18448 push ecx; mov dword ptr [esp], edx	0_2_00B1844D
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B025F0 push 00B02641h; ret	0_2_00B02639
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B14536 push 00B145B5h; ret	0_2_00B145AD
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C514 push es; ret	0_2_00B0C51A
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B15577 push 00B155A4h; ret	0_2_00B1559C
Source: C:\Users\user\Desktop\XQehPgTn35.exe	Code function: 0_2_00B0C55C push 00B0C6D8h; ret	0_2_00B0C6D0

Source: initial sample	Static PE information: section name: entropy: 7.97927562362
Source: initial sample	Static PE information: section name: .data entropy: 7.9850157277
Source: initial sample	Static PE information: section name: entropy: 7.97927562362
Source: initial sample	Static PE information: section name: .data entropy: 7.9850157277
Source: initial sample	Static PE information: section name: entropy: 7.97927562362
Source: initial sample	Static PE information: section name: .data entropy: 7.9850157277
Source: initial sample	Static PE information: section name: entropy: 7.97927562362
Source: initial sample	Static PE information: section name: .data entropy: 7.9850157277
Source: initial sample	Static PE information: section name: entropy: 7.97927562362
Source: initial sample	Static PE information: section name: .data entropy: 7.9850157277

Source: C:\Windows\server.exe	File created: C:\Users\user\Desktop\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\Documents\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Program Files (x86)\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\Favorites\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Umbrella.flv.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Windows\SysWOW64\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\SublimeText.exe	Jump to dropped file
Source: C:\Users\user\Desktop\XQehPgTn35.exe	File created: C:\Windows\server.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\system 32.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\XQehPgTn35.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: threadDelayed 404	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: threadDelayed 398	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: foregroundWindowGot 567	Jump to behavior

Source: C:\Users\user\Desktop\XQehPgTn35.exe TID: 6472	Thread sleep count: 718 > 30	Jump to behavior
Source: C:\Users\user\Desktop\XQehPgTn35.exe TID: 6572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 6652	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 6780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 5696	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 2100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe TID: 6744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Google.exe	Binary or memory string: VBoxService.exe
Source: XQehPgTn35.exe, Microsoft Corporation.exe, 0000000B.00000002.255054974.0000000000F02000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286192987.0000000001472000.00000040.00020000.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: XQehPgTn35.exe, Microsoft Corporation.exe, 0000000B.00000002.255054974.0000000000F02000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286192987.0000000001472000.00000040.00020000.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: Google.exe	Binary or memory string: VMWare
Source: XQehPgTn35.exe, 00000000.00000002.201236294.0000000000C42000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.255054974.0000000000F02000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286192987.0000000001472000.00000040.00020000.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmp	Binary or memory string: &VBoxService.exe