Source: 0.2.sFau6gAKEk.exe.1850000.1.raw.unpack |
Malware Configuration Extractor: Njrat {"Host": "strigoo.duckdns.org", "Port": "9889", "Mutex Name": "aed1603e66c64f9fafe", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"} |
Source: sFau6gAKEk.exe |
Virustotal: Detection: 50% |
Perma Link |
Source: sFau6gAKEk.exe |
ReversingLabs: Detection: 33% |
Source: Yara match |
File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR |
Source: sFau6gAKEk.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: C:\Users\user\source\repos\pump1000\pump1000\obj\Debug\pump1000.pdb source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49748 -> 181.141.1.250:9889 |
Source: Malware configuration extractor |
URLs: strigoo.duckdns.org |
Source: unknown |
DNS query: name: strigoo.duckdns.org |
Source: global traffic |
TCP traffic: 192.168.2.5:49748 -> 181.141.1.250:9889 |
Source: Joe Sandbox View |
ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO |
Source: sFau6gAKEk.exe, 00000000.00000002.513438487.0000000003D92000.00000004.00000001.sdmp |
String found in binary or memory: https://19a35f0c-6367-45ec-aec7-f047bc9f0ebe.com |
Source: sFau6gAKEk.exe, 00000000.00000002.513438487.0000000003D92000.00000004.00000001.sdmp |
String found in binary or memory: https://19a35f0c-6367-45ec-aec7-f047bc9f0ebe.com( |
Source: unknown |
DNS traffic detected: queries for: strigoo.duckdns.org |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B9E4A GetAsyncKeyState, |
0_2_00007FFA167B9E4A |
Source: Yara match |
File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR |
Source: sFau6gAKEk.exe |
Static PE information: No import functions for PE file found |
Source: sFau6gAKEk.exe, 00000000.00000002.511842194.000000000176A000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs sFau6gAKEk.exe |
Source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp |
Binary or memory string: OriginalFilenamepump1000.exe2 vs sFau6gAKEk.exe |
Source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp |
Binary or memory string: OriginalFilenametiny_runpe.dll6 vs sFau6gAKEk.exe |
Source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp |
Binary or memory string: OriginalFilenameSxLYSyDf.exe4 vs sFau6gAKEk.exe |
Source: sFau6gAKEk.exe, 00000000.00000002.513438487.0000000003D92000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameClient9889.exe4 vs sFau6gAKEk.exe |
Source: sFau6gAKEk.exe, 00000000.00000002.511405225.0000000000F06000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenametlaqBuoRv.exe, vs sFau6gAKEk.exe |
Source: sFau6gAKEk.exe |
Binary or memory string: OriginalFilenametlaqBuoRv.exe, vs sFau6gAKEk.exe |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167BAB6A |
0_2_00007FFA167BAB6A |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167BA43E |
0_2_00007FFA167BA43E |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167BE816 |
0_2_00007FFA167BE816 |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167BF5C2 |
0_2_00007FFA167BF5C2 |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B1447 |
0_2_00007FFA167B1447 |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B149F |
0_2_00007FFA167B149F |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B2A8A |
0_2_00007FFA167B2A8A |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B29FD |
0_2_00007FFA167B29FD |
Source: sFau6gAKEk.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: sFau6gAKEk.exe |
Virustotal: Detection: 50% |
Source: sFau6gAKEk.exe |
ReversingLabs: Detection: 33% |
Source: sFau6gAKEk.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Mutant created: \Sessions\1\BaseNamedObjects\aed1603e66c64f9fafe |
Source: classification engine |
Classification label: mal80.troj.winEXE@1/0@1/1 |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: sFau6gAKEk.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: sFau6gAKEk.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: sFau6gAKEk.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: C:\Users\user\source\repos\pump1000\pump1000\obj\Debug\pump1000.pdb source: sFau6gAKEk.exe, 00000000.00000002.515359849.000000001CA19000.00000004.00020000.sdmp |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B3271 push ds; retf |
0_2_00007FFA167B3272 |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Code function: 0_2_00007FFA167B31DB push edi; retf |
0_2_00007FFA167B31DE |
Source: initial sample |
Static PE information: section name: .text entropy: 7.61141443582 |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Window / User API: threadDelayed 6931 |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 3976 |
Thread sleep count: 78 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 3976 |
Thread sleep time: -78000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 5116 |
Thread sleep count: 6931 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 6132 |
Thread sleep count: 31 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe TID: 6132 |
Thread sleep time: -31000s >= -30000s |
Jump to behavior |
Source: sFau6gAKEk.exe, 00000000.00000002.515527260.000000001DB71000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: sFau6gAKEk.exe, 00000000.00000002.513513095.0000000003DA7000.00000004.00000001.sdmp |
Binary or memory string: Program Manager |
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: sFau6gAKEk.exe, 00000000.00000002.513024357.0000000002570000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Queries volume information: C:\Users\user\Desktop\sFau6gAKEk.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\sFau6gAKEk.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: sFau6gAKEk.exe PID: 5200, type: MEMORYSTR |