Play interactive tour

Edit tour

Windows Analysis Report dxEOMYaOtV.exe

Overview

General Information

Sample Name:	dxEOMYaOtV.exe
Analysis ID:	534013
MD5:	a20a44e2add8f2ee2434258a20ac815e
SHA1:	bf2886c5bda80c2cc1a1a8d3d270f3e82f3f39b9
SHA256:	87b9a82fa05019692e89dc944a4fe1ab669d1c844abfd509c7e3648a024d4a73
Tags:	exenjratRAT
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Njrat

Antivirus / Scanner detection for submitted sample

Uses netsh to modify the Windows network and firewall settings

Machine Learning detection for sample

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Modifies the windows firewall

Contains functionality to spread to USB devices (.Net source)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

May infect USB drives

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Creates a window with clipboard capturing capabilities

Sigma detected: Netsh Port or Application Allowed

Classification

Process Tree

System is w10x64

dxEOMYaOtV.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\dxEOMYaOtV.exe" MD5: A20A44E2ADD8F2EE2434258A20AC815E)

netsh.exe (PID: 7096 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "3f0e7e396c4b65a76b6471f1f9d6d90a", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "SoftwareMicrosoftWindowsCurrentVersionRun", "Port": "NDQz", "Network Seprator": "|'|'|"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
dxEOMYaOtV.exe	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x13292:$s1: wireshark 0x1325c:$s2: procexp
dxEOMYaOtV.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
dxEOMYaOtV.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
dxEOMYaOtV.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15857:$reg: SEE_MASK_NOZONECHECKS 0x154dd:$msg: Execute ERROR 0x15531:$msg: Execute ERROR 0x15aa9:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15857:$reg: SEE_MASK_NOZONECHECKS 0x154dd:$msg: Execute ERROR 0x15531:$msg: Execute ERROR 0x15aa9:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: dxEOMYaOtV.exe PID: 7008	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.dxEOMYaOtV.exe.3b0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x13292:$s1: wireshark 0x1325c:$s2: procexp
0.0.dxEOMYaOtV.exe.3b0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
0.0.dxEOMYaOtV.exe.3b0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.dxEOMYaOtV.exe.3b0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.dxEOMYaOtV.exe.3b0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x13292:$s1: wireshark 0x1325c:$s2: procexp
0.2.dxEOMYaOtV.exe.3b0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
0.2.dxEOMYaOtV.exe.3b0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.dxEOMYaOtV.exe.3b0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: "C:\Users\user\Desktop\dxEOMYaOtV.exe" , ParentImage: C:\Users\user\Desktop\dxEOMYaOtV.exe, ParentProcessId: 7008, ProcessCommandLine: netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE, ProcessId: 7096

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "3f0e7e396c4b65a76b6471f1f9d6d90a", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "SoftwareMicrosoftWindowsCurrentVersionRun", "Port": "NDQz", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for submitted file

Show sources

Source: dxEOMYaOtV.exe	Virustotal: Detection: 66%			Perma Link
Source: dxEOMYaOtV.exe	ReversingLabs: Detection: 92%

Yara detected Njrat

Show sources

Source: Yara match	File source: dxEOMYaOtV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxEOMYaOtV.exe PID: 7008, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Show sources

Source: dxEOMYaOtV.exe

Avira: detected

Machine Learning detection for sample

Show sources

Source: dxEOMYaOtV.exe

Joe Sandbox ML: detected

Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: dxEOMYaOtV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: dxEOMYaOtV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to spread to USB devices (.Net source)

Show sources

Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, Usb1.cs	.Net Code: infect
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, Usb1.cs	.Net Code: infect

Source: dxEOMYaOtV.exe	Binary or memory string: [autorun]
Source: dxEOMYaOtV.exe	Binary or memory string: \autorun.inf
Source: dxEOMYaOtV.exe	Binary or memory string: autorun.inf
Source: dxEOMYaOtV.exe, 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp	Binary or memory string: \autorun.inf
Source: dxEOMYaOtV.exe, 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp	Binary or memory string: [autorun]
Source: dxEOMYaOtV.exe, 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp	Binary or memory string: autorun.inf
Source: dxEOMYaOtV.exe	Binary or memory string: \autorun.inf
Source: dxEOMYaOtV.exe	Binary or memory string: [autorun]
Source: dxEOMYaOtV.exe	Binary or memory string: autorun.inf

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: SoftwareMicrosoftWindowsCurrentVersionRun

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902

Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.123.118.63

Source: dxEOMYaOtV.exe, 00000000.00000002.1183036542.00000000009AB000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.
Source: dxEOMYaOtV.exe, 00000000.00000002.1183036542.00000000009AB000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Source: dxEOMYaOtV.exe, 00000000.00000002.1183015023.000000000097A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Yara detected Njrat

Show sources

Source: Yara match	File source: dxEOMYaOtV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxEOMYaOtV.exe PID: 7008, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: dxEOMYaOtV.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: dxEOMYaOtV.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: dxEOMYaOtV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: dxEOMYaOtV.exe, type: SAMPLE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dxEOMYaOtV.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dxEOMYaOtV.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Code function: 0_2_00B72478
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Code function: 0_2_04B64298
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Code function: 0_2_04B6428F

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Process Stats: CPU usage > 98%

Source: dxEOMYaOtV.exe, 00000000.00000002.1183015023.000000000097A000.00000004.00000020.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs dxEOMYaOtV.exe

Source: dxEOMYaOtV.exe	Virustotal: Detection: 66%
Source: dxEOMYaOtV.exe	ReversingLabs: Detection: 92%

Source: dxEOMYaOtV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\dxEOMYaOtV.exe "C:\Users\user\Desktop\dxEOMYaOtV.exe"
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Code function: 0_2_052B23DE AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Code function: 0_2_052B23A7 AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@4/2@0/1

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Mutant created: \Sessions\1\BaseNamedObjects\3f0e7e396c4b65a76b6471f1f9d6d90a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: dxEOMYaOtV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dxEOMYaOtV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: dxEOMYaOtV.exe, Stub/Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, Stub/Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, Stub/Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe TID: 7060	Thread sleep count: 1811 > 30
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe TID: 7060	Thread sleep time: -181100s >= -30000s

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Window / User API: threadDelayed 1811
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Window / User API: foregroundWindowGot 997
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Window / User API: foregroundWindowGot 500
Source: C:\Users\user\Desktop\dxEOMYaOtV.exe	Window / User API: foregroundWindowGot 498

Source: dxEOMYaOtV.exe, 00000000.00000002.1183036542.00000000009AB000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowDefinition="MachineOnly"/>

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Memory allocated: page read and write | page guard

Source: dxEOMYaOtV.exe	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: dxEOMYaOtV.exe, 00000000.00000002.1183552920.0000000002A93000.00000004.00000001.sdmp, dxEOMYaOtV.exe, 00000000.00000002.1184101682.0000000004D0B000.00000004.00000010.sdmp, dxEOMYaOtV.exe, 00000000.00000002.1183969540.0000000002EA0000.00000004.00000001.sdmp, dxEOMYaOtV.exe, 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp, dxEOMYaOtV.exe, 00000000.00000002.1183302082.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: dxEOMYaOtV.exe, 00000000.00000002.1184101682.0000000004D0B000.00000004.00000010.sdmp	Binary or memory string: C rdProgram Manager
Source: dxEOMYaOtV.exe	Binary or memory string: Shell_TrayWnd
Source: dxEOMYaOtV.exe	Binary or memory string: ProgMan
Source: dxEOMYaOtV.exe, 00000000.00000002.1183302082.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: dxEOMYaOtV.exe, 00000000.00000002.1183302082.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: dxEOMYaOtV.exe, 00000000.00000002.1183552920.0000000002A93000.00000004.00000001.sdmp, dxEOMYaOtV.exe, 00000000.00000002.1183969540.0000000002EA0000.00000004.00000001.sdmp, dxEOMYaOtV.exe, 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: qedProgram Manager
Source: dxEOMYaOtV.exe	Binary or memory string: Shell_traywnd

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Code function: 0_2_00B7A72E GetUserNameW,

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\dxEOMYaOtV.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE

Stealing of Sensitive Information:

Yara detected Njrat

Show sources

Source: Yara match	File source: dxEOMYaOtV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxEOMYaOtV.exe PID: 7008, type: MEMORYSTR

Remote Access Functionality:

Yara detected Njrat

Show sources

Source: Yara match	File source: dxEOMYaOtV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dxEOMYaOtV.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxEOMYaOtV.exe PID: 7008, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media11	Windows Management Instrumentation	Path Interception	Access Token Manipulation1	Masquerading1	Input Capture1	Security Software Discovery1	Replication Through Removable Media11	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection2	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools21	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection2	LSA Secrets	Peripheral Device Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery12	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dxEOMYaOtV.exe	66%	Virustotal		Browse
dxEOMYaOtV.exe	93%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
dxEOMYaOtV.exe	100%	Avira	TR/Dropper.Gen
dxEOMYaOtV.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.dxEOMYaOtV.exe.3b0000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File
0.0.dxEOMYaOtV.exe.3b0000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://go.microsoft.	0%	URL Reputation	safe
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
SoftwareMicrosoftWindowsCurrentVersionRun	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
SoftwareMicrosoftWindowsCurrentVersionRun	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	dxEOMYaOtV.exe, 00000000.00000002.1183036542.00000000009AB000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	dxEOMYaOtV.exe, 00000000.00000002.1183036542.00000000009AB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.123.118.63	unknown	United Kingdom		13213	UK2NET-ASGB	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	534013
Start date:	05.12.2021
Start time:	00:29:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	dxEOMYaOtV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@4/2@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.3% (good quality ratio 1.2%) Quality average: 36.6% Quality standard deviation: 35.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information
Errors:	Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UK2NET-ASGB	iEChGuO0Wy.exe	Get hash	malicious	Browse	37.123.118.150
	ZDSWrJbftX.exe	Get hash	malicious	Browse	37.123.118.150
	Purchase Order.exe	Get hash	malicious	Browse	37.123.118.150
	Invoice.exe	Get hash	malicious	Browse	37.123.118.150
	Poh Tiong Trading - products list.exe	Get hash	malicious	Browse	37.123.118.150
	yMznKPLZVR.exe	Get hash	malicious	Browse	37.123.118.150
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	37.123.118.150
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	37.123.118.150
	ENQ 6205009033-6000003867.exe	Get hash	malicious	Browse	37.123.118.150
	77isbA5bpi.exe	Get hash	malicious	Browse	37.123.118.150
	RTfEx2KIxu	Get hash	malicious	Browse	77.92.90.80
	OlHeE02x0N.exe	Get hash	malicious	Browse	37.123.118.150
	TT COPY_02101011.exe	Get hash	malicious	Browse	37.123.118.150
	XKLyPH8fil.exe	Get hash	malicious	Browse	37.123.118.150
	Citation-HEQ211025001T-EXPP v4,pdf.exe	Get hash	malicious	Browse	37.123.118.150
	VSL_MV SEA-BLUE SHIP OWNERS.exe	Get hash	malicious	Browse	37.123.118.150
	Order.exe	Get hash	malicious	Browse	37.123.118.150
	New Offer.exe	Get hash	malicious	Browse	37.123.118.150
	202111161629639000582.exe	Get hash	malicious	Browse	37.123.118.150
	vGULtWc6Jh.exe	Get hash	malicious	Browse	37.123.118.150

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\app Download File
Process:	C:\Users\user\Desktop\dxEOMYaOtV.exe
File Type:	UTF-8 Unicode (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	C6BDBC9D86009CCF7E8DE878C9603213
SHA1:	2A4B8716F978F2D107BCD8294B486A5EE45AFE6E
SHA-256:	36A067FDFCEE95EB270F0B72E3B9E40D52C907D749FB9A8490D82F8EE56B29EB
SHA-512:	C42A52CD8837E2533B3D5EC97639F0C94287E3D7A6C73635C21DF50EBA8483B60DF15BF262A308836875CD9AFED504E7F98A2F6B254E4181FE548B1853D42256
Malicious:	false
Reputation:	low
Preview:	.5

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.567952442278428
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	dxEOMYaOtV.exe
File size:	95232
MD5:	a20a44e2add8f2ee2434258a20ac815e
SHA1:	bf2886c5bda80c2cc1a1a8d3d270f3e82f3f39b9
SHA256:	87b9a82fa05019692e89dc944a4fe1ab669d1c844abfd509c7e3648a024d4a73
SHA512:	ebb8b81d74aaf9475f64a23116da3d62497a6c92f6a7ac33fdcb7895e0aab6419c86ab92e104dc66cfc13a5bd0faa104fb3a997ce7bcfd0044e2ad3d25273e36
SSDEEP:	1536:RUXTr1IDavlZhbSKa9YdjEwzGi1dDyD6gS:RUXSDavlZIXmqi1dk/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.a.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x418f2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A921A0 [Thu Dec 2 19:42:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ed8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16f34	0x17000	False	0.368089758832	data	5.59964154951	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2021 00:30:28.051211119 CET	49764	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:28.051249027 CET	443	49764	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:28.051323891 CET	49764	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:28.282568932 CET	49764	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:28.282613993 CET	443	49764	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:28.282705069 CET	443	49764	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:30.290872097 CET	49765	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:30.290950060 CET	443	49765	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:30.291079044 CET	49765	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:30.292226076 CET	49765	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:30.292262077 CET	443	49765	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:30.292335033 CET	443	49765	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:32.307003975 CET	49766	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:32.307065010 CET	443	49766	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:32.307214022 CET	49766	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:32.308785915 CET	49766	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:32.308821917 CET	443	49766	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:32.308876991 CET	443	49766	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:34.354434013 CET	49767	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:34.354479074 CET	443	49767	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:34.354573011 CET	49767	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:34.355950117 CET	49767	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:34.355978012 CET	443	49767	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:34.356045961 CET	443	49767	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:36.465723038 CET	49768	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:36.465790033 CET	443	49768	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:36.465889931 CET	49768	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:36.466759920 CET	49768	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:36.466789007 CET	443	49768	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:36.466886044 CET	443	49768	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:38.479134083 CET	49769	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:38.479182005 CET	443	49769	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:38.479335070 CET	49769	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:38.481561899 CET	49769	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:38.481578112 CET	443	49769	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:38.481667042 CET	443	49769	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:40.495225906 CET	49770	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:40.495274067 CET	443	49770	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:40.495368958 CET	49770	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:40.496953011 CET	49770	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:40.496970892 CET	443	49770	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:40.497047901 CET	443	49770	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:42.510999918 CET	49771	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:42.511065006 CET	443	49771	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:42.511161089 CET	49771	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:42.512016058 CET	49771	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:42.512041092 CET	443	49771	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:42.512113094 CET	443	49771	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:44.525800943 CET	49772	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:44.525851011 CET	443	49772	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:44.525952101 CET	49772	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:44.526917934 CET	49772	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:44.526936054 CET	443	49772	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:44.526997089 CET	443	49772	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:46.553313971 CET	49773	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:46.553364038 CET	443	49773	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:46.553448915 CET	49773	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:46.554281950 CET	49773	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:46.554296970 CET	443	49773	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:46.554372072 CET	443	49773	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:46.554568052 CET	49773	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:46.554583073 CET	443	49773	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:48.570416927 CET	49774	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:48.570487022 CET	443	49774	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:48.570611954 CET	49774	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:48.572103977 CET	49774	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:48.572127104 CET	443	49774	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:48.572212934 CET	443	49774	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:50.588819981 CET	49777	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:50.588891983 CET	443	49777	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:50.588983059 CET	49777	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:50.589863062 CET	49777	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:50.589890003 CET	443	49777	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:50.589975119 CET	443	49777	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:52.604760885 CET	49778	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:52.604837894 CET	443	49778	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:52.605140924 CET	49778	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:52.606569052 CET	49778	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:52.606606007 CET	443	49778	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:52.606647968 CET	443	49778	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:54.620657921 CET	49779	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:54.620702028 CET	443	49779	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:54.620773077 CET	49779	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:54.621716022 CET	49779	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:54.621737003 CET	443	49779	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:54.621789932 CET	443	49779	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:56.636663914 CET	49780	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:56.636735916 CET	443	49780	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:56.636835098 CET	49780	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:56.638216019 CET	49780	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:56.638240099 CET	443	49780	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:56.638307095 CET	443	49780	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:58.652590036 CET	49781	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:58.652652025 CET	443	49781	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:58.652776003 CET	49781	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:58.654016972 CET	49781	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:30:58.654047012 CET	443	49781	109.123.118.63	192.168.2.4
Dec 5, 2021 00:30:58.654145956 CET	443	49781	109.123.118.63	192.168.2.4
Dec 5, 2021 00:31:00.669383049 CET	49782	443	192.168.2.4	109.123.118.63
Dec 5, 2021 00:31:00.669451952 CET	443	49782	109.123.118.63	192.168.2.4

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: dxEOMYaOtV.exe PID: 7008 Parent PID: 5528

General

Start time:	00:30:18
Start date:	05/12/2021
Path:	C:\Users\user\Desktop\dxEOMYaOtV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dxEOMYaOtV.exe"
Imagebase:	0x3b0000
File size:	95232 bytes
MD5 hash:	A20A44E2ADD8F2EE2434258A20AC815E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, Author: Joe Security Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1182843286.00000000003B2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, Author: Joe Security Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.656185698.00000000003B2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1183435675.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: netsh.exe PID: 7096 Parent PID: 7008

General

Start time:	00:30:20
Start date:	05/12/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\dxEOMYaOtV.exe" "dxEOMYaOtV.exe" ENABLE
Imagebase:	0x9f0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7108 Parent PID: 7096

General

Start time:	00:30:21
Start date:	05/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report dxEOMYaOtV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Njrat

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

Behavior