Edit tour
Windows
Analysis Report
gKi3fKq4Kh.exe
Overview
General Information
Detection
njRat, Xtreme RAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Xtreme RAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Installs Xtreme RAT
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Contains functionality to inject threads in other processes
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
May infect USB drives
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to upload files via FTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Classification
- System is w10x64
- gKi3fKq4Kh.exe (PID: 2576 cmdline:
"C:\Users\ user\Deskt op\gKi3fKq 4Kh.exe" MD5: EE24B7367C090788A5D86D24BCEB27D2) - svchost.exe (PID: 6456 cmdline:
svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433) - WerFault.exe (PID: 4056 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 456 -s 568 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 6548 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 456 -s 576 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - chrome.exe (PID: 3036 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe MD5: C139654B5C1438A95B321BB01AD63EF6) - 794bab1182.exe (PID: 6504 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\794bab 1182.exe" MD5: 1858BBF45BE50E685409DB249B798996) - adobe.exe (PID: 5920 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\adobe. exe" MD5: 1858BBF45BE50E685409DB249B798996) - netsh.exe (PID: 5152 cmdline:
netsh fire wall add a llowedprog ram "C:\Us ers\user\A ppData\Loc al\Temp\ad obe.exe" " adobe.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 6700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - 747MBR Regenerator v4.5.exe (PID: 6516 cmdline:
"C:\Window s\747MBR R egenerator v4.5.exe" MD5: FCA2AA6D8039DD107AFF1A3CFBE97F7B)
- adobe.exe (PID: 5524 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\adobe. exe" .. MD5: 1858BBF45BE50E685409DB249B798996)
- adobe.exe (PID: 4360 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\adobe. exe" .. MD5: 1858BBF45BE50E685409DB249B798996)
- adobe.exe (PID: 2980 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\adobe. exe" .. MD5: 1858BBF45BE50E685409DB249B798996)
- cleanup
{"Host": "babaloo.duckdns.org", "Port": "1182", "Version": "0.7d", "Campaign ID": "Ativado Windows 7", "Install Name": "adobe.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
{"id": "Server", "group": "Servers", "version": "2.9", "mutex": "wzk5VL6RM0QU9blk", "installdir": "InstallDir", "installdirfile": "Server.exe", "ftp server": "ftp.ftpserver.com"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
RAT_Xtreme | Detects Xtreme RAT | Kevin Breen <kevin@techanarchy.net> |
| |
Xtreme_Sep17_1 | Detects XTREME sample analyzed in September 2017 | Florian Roth |
| |
JoeSecurity_XtremeRat | Yara detected Xtreme RAT | Kevin Breen <kevin@techanarchy.net> | ||
xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen |
| |
njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
|