Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:gKi3fKq4Kh.exe
Analysis ID:651955


njRat, Xtreme RAT
Range:0 - 100


Yara detected Xtreme RAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Installs Xtreme RAT
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Contains functionality to inject threads in other processes
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
May infect USB drives
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to upload files via FTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)


  • System is w10x64
  • gKi3fKq4Kh.exe (PID: 2576 cmdline: "C:\Users\user\Desktop\gKi3fKq4Kh.exe" MD5: EE24B7367C090788A5D86D24BCEB27D2)
    • svchost.exe (PID: 6456 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • WerFault.exe (PID: 4056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 568 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 6548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 576 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • chrome.exe (PID: 3036 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe MD5: C139654B5C1438A95B321BB01AD63EF6)
    • 794bab1182.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Local\Temp\794bab1182.exe" MD5: 1858BBF45BE50E685409DB249B798996)
      • adobe.exe (PID: 5920 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" MD5: 1858BBF45BE50E685409DB249B798996)
        • netsh.exe (PID: 5152 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • adobe.exe (PID: 5524 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" .. MD5: 1858BBF45BE50E685409DB249B798996)
  • adobe.exe (PID: 4360 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" .. MD5: 1858BBF45BE50E685409DB249B798996)
  • adobe.exe (PID: 2980 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" .. MD5: 1858BBF45BE50E685409DB249B798996)
  • cleanup
{"Host": "babaloo.duckdns.org", "Port": "1182", "Version": "0.7d", "Campaign ID": "Ativado Windows 7", "Install Name": "adobe.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
{"id": "Server", "group": "Servers", "version": "2.9", "mutex": "wzk5VL6RM0QU9blk", "installdir": "InstallDir", "installdirfile": "Server.exe", "ftp server": "ftp.ftpserver.com"}
gKi3fKq4Kh.exeRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: XTREME
  • 0x9db8:$a: XTREME
  • 0xab70:$a: XTREME
  • 0xf380:$a: XTREME
  • 0xf38e:$a: XTREME
  • 0xbd74:$b: ServerStarted
  • 0x89f0:$c: XtremeKeylogger
  • 0x470c:$d: x.html
  • 0x854a:$e: Xtreme RAT
gKi3fKq4Kh.exeXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x51f69:$x2: TServerKeylogger
  • 0x89f0:$x3: XtremeKeylogger
  • 0xab70:$x4: XTREMEBINDER
  • 0xf38e:$x4: XTREMEBINDER
  • 0xa850:$s1: shellexecute=
  • 0x6d4c:$s2: [Execute]
  • 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
gKi3fKq4Kh.exeJoeSecurity_XtremeRatYara detected Xtreme RATKevin Breen <kevin@techanarchy.net>
    gKi3fKq4Kh.exextremratXtrem RAT v3.5Jean-Philippe Teissier / @Jipe_
    • 0x45d8:$a: XTREME
    • 0x9db8:$a: XTREME
    • 0xab70:$a: XTREME
    • 0xf380:$a: XTREME
    • 0xf38e:$a: XTREME
    • 0xab70:$b: XTREMEBINDER
    • 0xf38e:$b: XTREMEBINDER
    • 0x9dcc:$c: STARTSERVERBUFFER
    • 0xcbb4:$d: SOFTWARE\XtremeRAT
    • 0x89f0:$f: XtremeKeylogger
    • 0x854a:$h: Xtreme RAT
    C:\Users\user\AppData\Local\Temp\adobe.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4e9e:$s3: Executed As
    • 0x4e80:$s6: Download ERROR
    C:\Users\user\AppData\Local\Temp\adobe.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Local\Temp\adobe.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x4cd8:$s1: netsh firewall delete allowedprogram
      • 0x4db4:$s2: netsh firewall add allowedprogram
      • 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x4e5c:$s4: Execute ERROR
      • 0x4eb8:$s4: Execute ERROR
      • 0x4e80:$s5: Download ERROR
      • 0x4fe4:$s6: [kl]
      C:\Users\user\AppData\Local\Temp\adobe.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4db4:$a1: netsh firewall add allowedprogram
      • 0x4d84:$a2: SEE_MASK_NOZONECHECKS
      • 0x502e:$b1: [TAP]
      • 0x4d46:$c3: cmd.exe /c ping
      C:\Users\user\AppData\Local\Temp\adobe.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x4d84:$reg: SEE_MASK_NOZONECHECKS
      • 0x4e5c:$msg: Execute ERROR
      • 0x4eb8:$msg: Execute ERROR
      • 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del