Windows Analysis Report sFau6gAKEk.exe

Overview

General Information

Sample Name: sFau6gAKEk.exe
Analysis ID: 491718
MD5: 3441a429a71ac1ad6e910efdd06cacd3
SHA1: d4f2ab9a718b2da7c4b1d1863dbc6a83b3e29264
SHA256: d3763d5c2317a279fc6ffce59700fb96f10570178d81c01a912db7b17811798c
Tags: exenjratRAT
Infos:

Most interesting Screenshot:

Detection

Njrat
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Njrat
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to retrieve information about pressed keystrokes
Enables debug privileges

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.sFau6gAKEk.exe.1850000.1.raw.unpack Malware Configuration Extractor: Njrat {"Host": "strigoo.duckdns.org", "Port": "9889", "Mutex Name": "aed1603e66c64f9fafe", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"}
Multi AV Scanner detection for submitted file
Source: sFau6gAKEk.exe Virustotal: Detection: 50% Perma Link
Source: sFau6gAKEk.exe ReversingLabs: Detection: 33%
Yara detected Njrat
Source: Yara match File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR
Source: sFau6gAKEk.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\user\source\repos\pump1000\pump1000\obj\Debug\pump1000.pdb source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49748 -> 181.141.1.250:9889
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: strigoo.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: strigoo.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49748 -> 181.141.1.250:9889
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
Source: sFau6gAKEk.exe, 00000000.00000002.513438487.0000000003D92000.00000004.00000001.sdmp String found in binary or memory: https://19a35f0c-6367-45ec-aec7-f047bc9f0ebe.com
Source: sFau6gAKEk.exe, 00000000.00000002.513438487.0000000003D92000.00000004.00000001.sdmp String found in binary or memory: https://19a35f0c-6367-45ec-aec7-f047bc9f0ebe.com(
Source: unknown DNS traffic detected: queries for: strigoo.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B9E4A GetAsyncKeyState, 0_2_00007FFA167B9E4A

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR

System Summary:

barindex
PE file does not import any functions
Source: sFau6gAKEk.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: sFau6gAKEk.exe, 00000000.00000002.511842194.000000000176A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs sFau6gAKEk.exe
Source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp Binary or memory string: OriginalFilenamepump1000.exe2 vs sFau6gAKEk.exe
Source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp Binary or memory string: OriginalFilenametiny_runpe.dll6 vs sFau6gAKEk.exe
Source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSxLYSyDf.exe4 vs sFau6gAKEk.exe
Source: sFau6gAKEk.exe, 00000000.00000002.513438487.0000000003D92000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClient9889.exe4 vs sFau6gAKEk.exe
Source: sFau6gAKEk.exe, 00000000.00000002.511405225.0000000000F06000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametlaqBuoRv.exe, vs sFau6gAKEk.exe
Source: sFau6gAKEk.exe Binary or memory string: OriginalFilenametlaqBuoRv.exe, vs sFau6gAKEk.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167BAB6A 0_2_00007FFA167BAB6A
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167BA43E 0_2_00007FFA167BA43E
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167BE816 0_2_00007FFA167BE816
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167BF5C2 0_2_00007FFA167BF5C2
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B1447 0_2_00007FFA167B1447
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B149F 0_2_00007FFA167B149F
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B2A8A 0_2_00007FFA167B2A8A
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B29FD 0_2_00007FFA167B29FD
Source: sFau6gAKEk.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sFau6gAKEk.exe Virustotal: Detection: 50%
Source: sFau6gAKEk.exe ReversingLabs: Detection: 33%
Source: sFau6gAKEk.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Mutant created: \Sessions\1\BaseNamedObjects\aed1603e66c64f9fafe
Source: classification engine Classification label: mal80.troj.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\sFau6gAKEk.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: sFau6gAKEk.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: sFau6gAKEk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: sFau6gAKEk.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\user\source\repos\pump1000\pump1000\obj\Debug\pump1000.pdb source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B3271 push ds; retf 0_2_00007FFA167B3272
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Code function: 0_2_00007FFA167B31DB push edi; retf 0_2_00007FFA167B31DE
Source: initial sample Static PE information: section name: .text entropy: 7.61141443582
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Window / User API: threadDelayed 6931 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 3976 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 3976 Thread sleep time: -78000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 5116 Thread sleep count: 6931 > 30 Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 6132 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 6132 Thread sleep time: -31000s >= -30000s Jump to behavior
Source: sFau6gAKEk.exe, 00000000.00000002.515527260.000000001DB71000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Memory allocated: page read and write | page guard Jump to behavior
Source: sFau6gAKEk.exe, 00000000.00000002.513513095.0000000003DA7000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp Binary or memory string: Progman
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Queries volume information: C:\Users\user\Desktop\sFau6gAKEk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sFau6gAKEk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Njrat
Source: Yara match File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Njrat
Source: Yara match File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491718 Sample: sFau6gAKEk.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 80 10 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->10 12 Found malware configuration 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 3 other signatures 2->16 5 sFau6gAKEk.exe 2 2 2->5         started        process3 dnsIp4 8 strigoo.duckdns.org 181.141.1.250, 49748, 9889 EPMTelecomunicacionesSAESPCO Colombia 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
181.141.1.250
 strigoo.duckdns.org Colombia
13489 EPMTelecomunicacionesSAESPCO true

Contacted Domains

Name IP Active
strigoo.duckdns.org 181.141.1.250 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
strigoo.duckdns.org true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown