Loading ...

Play interactive tourEdit tour

Windows Analysis Report 7FW4ce2RDy

Overview

General Information

Sample Name:7FW4ce2RDy (renamed file extension from none to exe)
Analysis ID:494416
MD5:776211eed31b6a8ea3539ac1d822362c
SHA1:b18225f3217536c802d43d9e4a0ac8ac22a90109
SHA256:f32fb1af5db650065e6e1d02ade5506e6c0903e4bbc9ff6ff2fbf94bef6ffba4
Tags:exeXtrat
Infos:

Most interesting Screenshot:

Detection

njRat Xtreme RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Xtreme RAT
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Found malware configuration
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Installs Xtreme RAT
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Contains functionality to inject threads in other processes
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Contains functionality to retrieve information about pressed keystrokes
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to upload files via FTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Potential key logger detected (key state polling based)

Classification

Process Tree

  • System is w10x64
  • 7FW4ce2RDy.exe (PID: 6908 cmdline: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' MD5: 776211EED31B6A8EA3539AC1D822362C)
    • svchost.exe (PID: 3652 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • WerFault.exe (PID: 6460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 2992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • chrome.exe (PID: 5608 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe MD5: C139654B5C1438A95B321BB01AD63EF6)
    • 562Server.exe (PID: 4472 cmdline: 'C:\Windows\system32\562Server.exe' MD5: B207157C9F171556BF4D240C14AABA0E)
      • System.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' MD5: B207157C9F171556BF4D240C14AABA0E)
        • netsh.exe (PID: 6764 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • System.exe (PID: 6552 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' .. MD5: B207157C9F171556BF4D240C14AABA0E)
  • System.exe (PID: 3156 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' .. MD5: B207157C9F171556BF4D240C14AABA0E)
  • System.exe (PID: 6872 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' .. MD5: B207157C9F171556BF4D240C14AABA0E)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.6.4", "Install Name": "System.exe", "Install Dir": "TEMP", "Registry Value": "301b5fcf8ce2fab8868e80b6c1f912fe", "Host": "windownssystem.ddns.net", "Port": "1010", "Network Seprator": "|'|'|"}

Threatname: Xtreme RAT

{"id": "MuAwaY", "group": "MuAwaY", "version": "T2.9", "mutex": "HgDdsuTd", "installdir": "MuAwaYOriginal", "installdirfile": "MuAwaY.exe", "ftp server": "ftp.ftpserver.com"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
7FW4ce2RDy.exeRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: XTREME
  • 0x9db8:$a: XTREME
  • 0xab70:$a: XTREME
  • 0x46b20:$a: XTREME
  • 0x46b2e:$a: XTREME
  • 0x54320:$a: XTREME
  • 0x5432e:$a: XTREME
  • 0xbd74:$b: ServerStarted
  • 0x89f0:$c: XtremeKeylogger
  • 0x470c:$d: x.html
  • 0x854a:$e: Xtreme RAT
7FW4ce2RDy.exeXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x490b9:$x2: TServerKeylogger
  • 0x89f0:$x3: XtremeKeylogger
  • 0xab70:$x4: XTREMEBINDER
  • 0x46b2e:$x4: XTREMEBINDER
  • 0x5432e:$x4: XTREMEBINDER
  • 0xa850:$s1: shellexecute=
  • 0x6d4c:$s2: [Execute]
  • 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
7FW4ce2RDy.exeJoeSecurity_XtremeRatYara detected Xtreme RATKevin Breen <kevin@techanarchy.net>
    7FW4ce2RDy.exextremratXtrem RAT v3.5Jean-Philippe Teissier / @Jipe_
    • 0x45d8:$a: XTREME
    • 0x9db8:$a: XTREME
    • 0xab70:$a: XTREME
    • 0x46b20:$a: XTREME
    • 0x46b2e:$a: XTREME
    • 0x54320:$a: XTREME
    • 0x5432e:$a: XTREME
    • 0xab70:$b: XTREMEBINDER
    • 0x46b2e:$b: XTREMEBINDER
    • 0x5432e:$b: XTREMEBINDER
    • 0x9dcc:$c: STARTSERVERBUFFER
    • 0xcbb4:$d: SOFTWARE\XtremeRAT
    • 0x89f0:$f: XtremeKeylogger
    • 0x854a:$h: Xtreme RAT

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exeRAT_njRatDetects njRATKevin Breen <kevin@techanarchy.net>
    • 0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C
    • 0x61dc:$s2: netsh firewall add allowedprogram
    • 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run
    • 0x6124:$s4: yyyy-MM-dd
    • 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
    C:\Windows\SysWOW64\562Server.exeRAT_njRatDetects njRATKevin Breen <kevin@techanarchy.net>
    • 0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C
    • 0x61dc:$s2: netsh firewall add allowedprogram
    • 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run
    • 0x6124:$s4: yyyy-MM-dd
    • 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Windows\SysWOW64\562Server.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Windows\SysWOW64\562Server.exenjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x61dc:$a1: netsh firewall add allowedprogram
        • 0x61ac:$a2: SEE_MASK_NOZONECHECKS
        • 0x6598:$b1: [TAP]
        • 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del
        • 0x64ec:$c3: cmd.exe /c ping
        Click to see the 4 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmpRAT_njRatDetects njRATKevin Breen <kevin@techanarchy.net>
        • 0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C
        • 0x5fdc:$s2: netsh firewall add allowedprogram
        • 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run
        • 0x5f24:$s4: yyyy-MM-dd
        • 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
        00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x5fdc:$a1: netsh firewall add allowedprogram
          • 0x5fac:$a2: SEE_MASK_NOZONECHECKS
          • 0x6398:$b1: [TAP]
          • 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del
          • 0x62ec:$c3: cmd.exe /c ping
          00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmpRAT_njRatDetects njRATKevin Breen <kevin@techanarchy.net>
          • 0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C
          • 0x5fdc:$s2: netsh firewall add allowedprogram
          • 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run
          • 0x5f24:$s4: yyyy-MM-dd
          • 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
          00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            Click to see the 58 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.System.exe.3e0000.0.unpackRAT_njRatDetects njRATKevin Breen <kevin@techanarchy.net>
            • 0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C
            • 0x61dc:$s2: netsh firewall add allowedprogram
            • 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run
            • 0x6124:$s4: yyyy-MM-dd
            • 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
            8.2.System.exe.3e0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              8.2.System.exe.3e0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x61dc:$a1: netsh firewall add allowedprogram
              • 0x61ac:$a2: SEE_MASK_NOZONECHECKS
              • 0x6598:$b1: [TAP]
              • 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del
              • 0x64ec:$c3: cmd.exe /c ping
              19.0.System.exe.3e0000.0.unpackRAT_njRatDetects njRATKevin Breen <kevin@techanarchy.net>
              • 0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C
              • 0x61dc:$s2: netsh firewall add allowedprogram
              • 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run
              • 0x6124:$s4: yyyy-MM-dd
              • 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
              19.0.System.exe.3e0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                Click to see the 52 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspect Svchost ActivityShow sources
                Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' , ParentImage: C:\Users\user\Desktop\7FW4ce2RDy.exe, ParentProcessId: 6908, ProcessCommandLine: svchost.exe, ProcessId: 3652
                Sigma detected: Suspicious Svchost ProcessShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' , ParentImage: C:\Users\user\Desktop\7FW4ce2RDy.exe, ParentProcessId: 6908, ProcessCommandLine: svchost.exe, ProcessId: 3652
                Sigma detected: Netsh Port or Application AllowedShow sources
                Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\System.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\System.exe, ParentProcessId: 5712, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE, ProcessId: 6764
                Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' , ParentImage: C:\Users\user\Desktop\7FW4ce2RDy.exe, ParentProcessId: 6908, ProcessCommandLine: svchost.exe, ProcessId: 3652

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\System.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Source: C:\Windows\SysWOW64\562Server.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Found malware configurationShow sources
                Source: 00000000.00000002.296286620.000000000076A000.00000004.00000020.sdmpMalware Configuration Extractor: Xtreme RAT {"id": "MuAwaY", "group": "MuAwaY", "version": "T2.9", "mutex": "HgDdsuTd", "installdir": "MuAwaYOriginal", "installdirfile": "MuAwaY.exe", "ftp server": "ftp.ftpserver.com"}
                Source: 4.2.562Server.exe.1d0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.6.4", "Install Name": "System.exe", "Install Dir": "TEMP", "Registry Value": "301b5fcf8ce2fab8868e80b6c1f912fe", "Host": "windownssystem.ddns.net", "Port": "1010", "Network Seprator": "|'|'|"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: 7FW4ce2RDy.exeVirustotal: Detection: 83%Perma Link
                Source: 7FW4ce2RDy.exeReversingLabs: Detection: 93%
                Yara detected NjratShow sources
                Source: Yara matchFile source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7FW4ce2RDy.exe PID: 6908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 562Server.exe PID: 4472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 5712, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 3156, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 6872, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: 7FW4ce2RDy.exeAvira: detected
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\System.exeReversingLabs: Detection: 95%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exeReversingLabs: Detection: 95%
                Source: C:\Windows\SysWOW64\562Server.exeReversingLabs: Detection: 95%
                Machine Learning detection for sampleShow sources
                Source: 7FW4ce2RDy.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\System.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\562Server.exeJoe Sandbox ML: detected
                Source: 4.2.562Server.exe.1d0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 1.2.svchost.exe.10000000.0.unpackAvira: Label: TR/Agent.ssnsz
                Source: 16.0.System.exe.d50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpackAvira: Label: TR/Agent.ssnsz
                Source: 20.2.System.exe.240000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 20.0.System.exe.240000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 8.0.System.exe.3e0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 4.0.562Server.exe.1d0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 16.2.System.exe.d50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 8.2.System.exe.3e0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 19.0.System.exe.3e0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpackAvira: Label: TR/Agent.ssnsz
                Source: 19.2.System.exe.3e0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 1.0.svchost.exe.10000000.0.unpackAvira: Label: TR/Agent.ssnsz
                Source: 7FW4ce2RDy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                Source: C:\Windows\SysWOW64\562Server.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: 7FW4ce2RDy.exeBinary or memory string: autorun.inf
                Source: 7FW4ce2RDy.exeBinary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
                Source: 7FW4ce2RDy.exeBinary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
                Source: 7FW4ce2RDy.exe, 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmpBinary or memory string: [autorun]
                Source: svchost.exeBinary or memory string: autorun.inf
                Source: svchost.exeBinary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
                Source: svchost.exeBinary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
                Source: svchost.exe, 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: 7FW4ce2RDy.exeBinary or memory string: [autorun]
                Source: 7FW4ce2RDy.exeBinary or memory string: autorun.inf
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10005CA4 FindFirstFileW,FindClose,0_2_10005CA4

                Networking:

                barindex
                Uses dynamic DNS servicesShow sources
                Source: unknownDNS query: name: windownssystem.ddns.net
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: windownssystem.ddns.net
                Source: unknownDNS traffic detected: query: windownssystem.ddns.net replaycode: Name error (3)
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_100068EC InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,0_2_100068EC
                Source: unknownDNS traffic detected: queries for: windownssystem.ddns.net
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10005F86 URLDownloadToCacheFileW,CopyFileW,0_2_10005F86

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 562Server.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
                Source: System.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                Source: 4.2.562Server.exe.1d0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 4.0.562Server.exe.1d0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 301b5fcf8ce2fab8868e80b6c1f912fe.exe.8.dr, kl.cs.Net Code: VKCodeToUnicode
                Source: 8.0.System.exe.3e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 8.2.System.exe.3e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 16.0.System.exe.d50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 16.2.System.exe.d50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 19.0.System.exe.3e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 19.2.System.exe.3e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 20.2.System.exe.240000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Source: 20.0.System.exe.240000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10008568 SetWindowsHookExW 0000000D,10008040,00000000,000000000_2_10008568
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10008040 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,0_2_10008040
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,0_2_100069DC
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,0_2_100069DC
                Source: 7FW4ce2RDy.exe, 00000000.00000002.296286620.000000000076A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10006D04 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_10006D04

                E-Banking Fraud:

                barindex
                Yara detected NjratShow sources
                Source: Yara matchFile source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7FW4ce2RDy.exe PID: 6908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 562Server.exe PID: 4472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 5712, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 3156, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System.exe PID: 6872, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED

                Operating System Destruction:

                barindex
                Protects its processes via BreakOnTermination flagShow sources
                Source: C:\Users\user\AppData\Local\Temp\System.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary:

                barindex
                Yara detected Xtreme RATShow sources
                Source: Yara matchFile source: 7FW4ce2RDy.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                Malicious sample detected (through community Yara rule)Show sources
                Source: 7FW4ce2RDy.exe, type: SAMPLEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 7FW4ce2RDy.exe, type: SAMPLEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 7FW4ce2RDy.exe, type: SAMPLEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000000.00000000.291223895.0000000010056000.00000008.00020000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000001.00000002.304153426.0000000010048000.00000040.00000001.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000001.00000000.293164908.0000000010048000.00000040.00000001.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
                Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000000.00000000.291215045.0000000010048000.00000080.00020000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
                Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPEDMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPEDMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPEDMatched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Installs Xtreme RATShow sources
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeKey created: HKEY_CURRENT_USER\SOFTWARE\XtremeRATJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10048CE70_2_10048CE7
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10048E4D0_2_10048E4D
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_100486C10_2_100486C1
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10048F110_2_10048F11
                Source: 7FW4ce2RDy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 7FW4ce2RDy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 7FW4ce2RDy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 7FW4ce2RDy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 7FW4ce2RDy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                Source: 7FW4ce2RDy.exe, type: SAMPLEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 7FW4ce2RDy.exe, type: SAMPLEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 7FW4ce2RDy.exe, type: SAMPLEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000000.00000000.291223895.0000000010056000.00000008.00020000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000001.00000002.304153426.0000000010048000.00000040.00000001.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000001.00000000.293164908.0000000010048000.00000040.00000001.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
                Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000000.00000000.291215045.0000000010048000.00000080.00020000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
                Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPEDMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPEDMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPEDMatched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
                Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeFile created: C:\Windows\SysWOW64\562Server.exe.exeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 100037AC appears 177 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 10003B94 appears 94 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 10003A34 appears 95 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 10006D04 appears 88 times
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: String function: 100037AC appears 177 times
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: String function: 10003B94 appears 94 times
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: String function: 10003A34 appears 95 times
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: String function: 10006D04 appears 88 times
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_1000649C NtdllDefWindowProc_A,0_2_1000649C
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_100064F4 NtdllDefWindowProc_A,0_2_100064F4
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_1000BD14
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_1000BD60 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_1000BD60
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_10008568 VirtualFree,WriteFile,UnhookWindowsHookEx,SetFilePointer,GetFileSize,ReadFile,SetFilePointer,SetFileAttributesW,DeleteFileW,CreateFileW,WriteFile,CloseHandle,GetModuleHandleA,SetWindowsHookExW,UnhookWindowsHookEx,UnhookWindowsHookEx,GetModuleHandleA,SetWindowsHookExW,WriteFile,SetFilePointer,SetEndOfFile,NtdllDefWindowProc_A,0_2_10008568
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_1000AF50 NtdllDefWindowProc_A,0_2_1000AF50
                Source: C:\Users\user\AppData\Local\Temp\System.exeCode function: 8_2_04C01D72 NtQuerySystemInformation,8_2_04C01D72
                Source: C:\Users\user\AppData\Local\Temp\System.exeCode function: 8_2_04C01D37 NtQuerySystemInformation,8_2_04C01D37
                Source: C:\Windows\SysWOW64\562Server.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\562Server.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@17/7@34/0
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeCode function: 0_2_100051E8 FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,0_2_100051E8
                Source: 7FW4ce2RDy.exeVirustotal: Detection: 83%
                Source: 7FW4ce2RDy.exeReversingLabs: Detection: 93%
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\7FW4ce2RDy.exe 'C:\Users\user\Desktop\7FW4ce2RDy.exe'
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeProcess created: C:\Windows\SysWOW64\562Server.exe 'C:\Windows\system32\562Server.exe'
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564
                Source: C:\Windows\SysWOW64\562Server.exeProcess created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe'
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 512
                Source: C:\Users\user\AppData\Local\Temp\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' ..
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' ..
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' ..
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeProcess created: C:\Windows\SysWOW64\562Server.exe 'C:\Windows\system32\562Server.exe' Jump to behavior
                Source: C:\Windows\SysWOW64\562Server.exeProcess created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLEJump to behavior
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\7FW4ce2RDy.exeFile created: C:\Users\user\AppData\Local\Temp\x.htmlJump to behavior
                Source: C:\Windows\SysWOW64\562Server.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\562Server.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Windows\SysWOW64\562Server.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump