Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
itVg5XA6eK.exe

Overview

General Information

Sample Name:itVg5XA6eK.exe
Analysis ID:753416
MD5:8533ef6f79e259e9e5fe7c28f1fcd372
SHA1:48c1f9b2a798a374b6e8c2e5fb655c19e5fa2ed3
SHA256:bbc8cabc1ba4f81d1ee316d3869ed8e61c91840cb533abee708a3099ab196470
Tags:exenjratRAT
Infos:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • itVg5XA6eK.exe (PID: 6104 cmdline: C:\Users\user\Desktop\itVg5XA6eK.exe MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
    • rejdit_free_fire.exe (PID: 1852 cmdline: "C:\ProgramData\rejdit_free_fire.exe" MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
      • netsh.exe (PID: 2436 cmdline: netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rejdit_free_fire.exe (PID: 644 cmdline: "C:\ProgramData\rejdit_free_fire.exe" .. MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
  • rejdit_free_fire.exe (PID: 1280 cmdline: "C:\ProgramData\rejdit_free_fire.exe" .. MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
  • rejdit_free_fire.exe (PID: 1112 cmdline: "C:\ProgramData\rejdit_free_fire.exe" .. MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Host": "h43vipforyou.ddns.net", "Port": "1177", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "rejdit_free_fire.exe", "Install Dir": "AllUsersProfile", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
itVg5XA6eK.exeJoeSecurity_NjratYara detected NjratJoe Security
    itVg5XA6eK.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x4ce8:$s1: netsh firewall delete allowedprogram
    • 0x4dc4:$s2: netsh firewall add allowedprogram
    • 0x4d56:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x4e6c:$s4: Execute ERROR
    • 0x4ec8:$s4: Execute ERROR
    • 0x4e90:$s5: Download ERROR
    • 0x4ff4:$s6: [kl]
    itVg5XA6eK.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4dc4:$a1: netsh firewall add allowedprogram
    • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
    • 0x503e:$b1: [TAP]
    • 0x4d56:$c3: cmd.exe /c ping
    itVg5XA6eK.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x3c9a:$a1: get_Registry
    • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
    • 0x4e90:$a3: Download ERROR
    • 0x4d56:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ce8:$a5: netsh firewall delete allowedprogram "
    itVg5XA6eK.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d94:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e6c:$msg: Execute ERROR
    • 0x4ec8:$msg: Execute ERROR
    • 0x4d56:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\rejdit_free_fire.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\ProgramData\rejdit_free_fire.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x4ce8:$s1: netsh firewall delete allowedprogram
      • 0x4dc4:$s2: netsh firewall add allowedprogram
      • 0x4d56:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x4e6c:$s4: Execute ERROR
      • 0x4ec8:$s4: Execute ERROR
      • 0x4e90:$s5: Download ERROR
      • 0x4ff4:$s6: [kl]
      C:\ProgramData\rejdit_free_fire.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4dc4:$a1: netsh firewall add allowedprogram
      • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
      • 0x503e:$b1: [TAP]
      • 0x4d56:$c3: cmd.exe /c ping
      C:\ProgramData\rejdit_free_fire.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x3c9a:$a1: get_Registry
      • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
      • 0x4e90:$a3: Download ERROR
      • 0x4d56:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x4ce8:$a5: netsh firewall delete allowedprogram "
      C:\ProgramData\rejdit_free_fire.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x4d94:$reg: SEE_MASK_NOZONECHECKS
      • 0x4e6c:$msg: Execute ERROR
      • 0x4ec8:$msg: Execute ERROR
      • 0x4d56:$ping: cmd.exe /c ping 0 -n 2 & del
      Click to see the 5 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x7bb4:$a1: netsh firewall add allowedprogram
        • 0x7b84:$a2: SEE_MASK_NOZONECHECKS
        • 0x7e2e:$b1: [TAP]
        • 0x7b46:$c3: cmd.exe /c ping
        00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x6a8a:$a1: get_Registry
        • 0x7b84:$a2: SEE_MASK_NOZONECHECKS
        • 0x7c80:$a3: Download ERROR
        • 0x7b46:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x7ad8:$a5: netsh firewall delete allowedprogram "
        00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x7b84:$reg: SEE_MASK_NOZONECHECKS
        • 0x7c5c:$msg: Execute ERROR
        • 0x7cb8:$msg: Execute ERROR
        • 0x7b46:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x4ce8:$s1: netsh firewall delete allowedprogram
            • 0x4dc4:$s2: netsh firewall add allowedprogram
            • 0x4d56:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
            • 0x4e6c:$s4: Execute ERROR
            • 0x4ec8:$s4: Execute ERROR
            • 0x4e90:$s5: Download ERROR
            • 0x4ff4:$s6: [kl]
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4dc4:$a1: netsh firewall add allowedprogram
            • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
            • 0x503e:$b1: [TAP]
            • 0x4d56:$c3: cmd.exe /c ping
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x3c9a:$a1: get_Registry
            • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
            • 0x4e90:$a3: Download ERROR
            • 0x4d56:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x4ce8:$a5: netsh firewall delete allowedprogram "
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x4d94:$reg: SEE_MASK_NOZONECHECKS
            • 0x4e6c:$msg: Execute ERROR
            • 0x4ec8:$msg: Execute ERROR
            • 0x4d56:$ping: cmd.exe /c ping 0 -n 2 & del
            Click to see the 10 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.341.109.68.2394969911772033132 11/24/22-19:42:23.177340
            SID:2033132
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772825563 11/24/22-19:42:23.319941
            SID:2825563
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772825563 11/24/22-19:43:29.909277
            SID:2825563
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772033132 11/24/22-19:42:56.789376
            SID:2033132
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772825564 11/24/22-19:42:28.743067
            SID:2825564
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772825564 11/24/22-19:43:01.745518
            SID:2825564
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772825563 11/24/22-19:42:56.884058
            SID:2825563
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772033132 11/24/22-19:43:29.805466
            SID:2033132
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772814856 11/24/22-19:43:29.909277
            SID:2814856
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970211772825563 11/24/22-19:44:02.683537
            SID:2825563
            Source Port:49702
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772814860 11/24/22-19:43:44.045655
            SID:2814860
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970211772033132 11/24/22-19:44:02.583206
            SID:2033132
            Source Port:49702
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772814860 11/24/22-19:42:28.743067
            SID:2814860
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970211772814856 11/24/22-19:44:02.683537
            SID:2814856
            Source Port:49702
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772814860 11/24/22-19:43:01.745518
            SID:2814860
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772825564 11/24/22-19:43:44.045655
            SID:2825564
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772814856 11/24/22-19:42:56.884058
            SID:2814856
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772814856 11/24/22-19:42:23.319941
            SID:2814856
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: itVg5XA6eK.exeReversingLabs: Detection: 100%
            Source: itVg5XA6eK.exeVirustotal: Detection: 76%Perma Link
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED
            Antivirus / Scanner detection for submitted sample
            Source: itVg5XA6eK.exeAvira: detected
            Antivirus detection for URL or domain
            Source: h43vipforyou.ddns.netAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: h43vipforyou.ddns.netVirustotal: Detection: 9%Perma Link
            Source: h43vipforyou.ddns.netVirustotal: Detection: 9%Perma Link
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: C:\ProgramData\rejdit_free_fire.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\rejdit_free_fire.exeReversingLabs: Detection: 100%
            Source: C:\ProgramData\rejdit_free_fire.exeVirustotal: Detection: 76%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeVirustotal: Detection: 76%Perma Link
            Machine Learning detection for sample
            Source: itVg5XA6eK.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\rejdit_free_fire.exeJoe Sandbox ML: detected
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Njrat {"Host": "h43vipforyou.ddns.net", "Port": "1177", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "rejdit_free_fire.exe", "Install Dir": "AllUsersProfile", "Network Seprator": "|'|'|"}
            Source: itVg5XA6eK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: itVg5XA6eK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49702 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49702 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49702 -> 41.109.68.239:1177
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: h43vipforyou.ddns.net
            Uses dynamic DNS services
            Source: unknownDNS query: name: h43vipforyou.ddns.net
            Source: Joe Sandbox ViewASN Name: ALGTEL-ASDZ ALGTEL-ASDZ
            Source: global trafficTCP traffic: 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: unknownDNS traffic detected: queries for: h43vipforyou.ddns.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: itVg5XA6eK.exe, kl.cs.Net Code: VKCodeToUnicode
            Source: rejdit_free_fire.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: rejdit_free_fire.exe, 00000001.00000002.505779349.000000000070A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: 01 00 00 00

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: itVg5XA6eK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: itVg5XA6eK.exeReversingLabs: Detection: 100%
            Source: itVg5XA6eK.exeVirustotal: Detection: 76%
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile read: C:\Users\user\Desktop\itVg5XA6eK.exeJump to behavior
            Source: itVg5XA6eK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\itVg5XA6eK.exe C:\Users\user\Desktop\itVg5XA6eK.exe
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe"
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" ..
            Source: unknownProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" ..
            Source: unknownProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" ..
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe"
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\itVg5XA6eK.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@4/1
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: itVg5XA6eK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeMutant created: \Sessions\1\BaseNamedObjects\869b16e2825dce24066aba38ee1a9add
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_01
            Source: C:\ProgramData\rejdit_free_fire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: itVg5XA6eK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: itVg5XA6eK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: itVg5XA6eK.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: rejdit_free_fire.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile created: C:\ProgramData\rejdit_free_fire.exeJump to dropped file
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile created: C:\ProgramData\rejdit_free_fire.exeJump to dropped file
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the startup folder
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to dropped file
            Creates autostart registry keys with suspicious names
            Source: C:\ProgramData\rejdit_free_fire.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9addJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9addJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9addJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\itVg5XA6eK.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\rejdit_free_fire.exe TID: 2148Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\rejdit_free_fire.exe TID: 1760Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\rejdit_free_fire.exe TID: 3508Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\rejdit_free_fire.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeWindow / User API: threadDelayed 5692
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477
            Source: rejdit_free_fire.exe, 00000001.00000002.506101970.000000000073B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\ProgramData\rejdit_free_fire.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: itVg5XA6eK.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: itVg5XA6eK.exe, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: rejdit_free_fire.exe.0.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: rejdit_free_fire.exe.0.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe"
            Source: rejdit_free_fire.exe, 00000001.00000002.509172881.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, rejdit_free_fire.exe, 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: rejdit_free_fire.exe, 00000001.00000002.509172881.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, rejdit_free_fire.exe, 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager|9
            Source: rejdit_free_fire.exe, 00000001.00000002.509172881.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, rejdit_free_fire.exe, 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager<
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformation
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformation
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformation
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\ProgramData\rejdit_free_fire.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Modifies the windows firewall
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Detected njRat
            Source: itVg5XA6eK.exe, OK.cs.Net Code: njRat config detected
            Source: rejdit_free_fire.exe.0.dr, OK.cs.Net Code: njRat config detected
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, OK.cs.Net Code: njRat config detected
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, OK.cs.Net Code: njRat config detected
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Native API            		221
            Registry Run Keys / Startup Folder            		12
            Process Injection            		1
            Masquerading            		11
            Input Capture            		11
            Security Software Discovery            		Remote Services11
            Input Capture            		Exfiltration Over Other Network Medium1
            Non-Standard Port            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts221
            Registry Run Keys / Startup Folder            		21
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Remote Access Software            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer21
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Software Packing            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 753416 Sample: itVg5XA6eK.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 14 other signatures 2->40 8 itVg5XA6eK.exe 1 5 2->8         started        11 rejdit_free_fire.exe 3 2->11         started        13 rejdit_free_fire.exe 2 2->13         started        15 rejdit_free_fire.exe 2 2->15         started        process3 file4 28 C:\ProgramData\rejdit_free_fire.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\...\itVg5XA6eK.exe.log, ASCII 8->30 dropped 17 rejdit_free_fire.exe 4 5 8->17         started        process5 dnsIp6 32 h43vipforyou.ddns.net 41.109.68.239, 1177, 49699, 49700 ALGTEL-ASDZ Algeria 17->32 26 C:\...\869b16e2825dce24066aba38ee1a9add.exe, PE32 17->26 dropped 42 Antivirus detection for dropped file 17->42 44 Multi AV Scanner detection for dropped file 17->44 46 Protects its processes via BreakOnTermination flag 17->46 48 5 other signatures 17->48 22 netsh.exe 3 17->22         started        file7 signatures8 process9 process10 24 conhost.exe 22->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            itVg5XA6eK.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            itVg5XA6eK.exe76%VirustotalBrowse
            itVg5XA6eK.exe100%AviraTR/Dropper.Gen7
            itVg5XA6eK.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe100%AviraTR/Dropper.Gen7
            C:\ProgramData\rejdit_free_fire.exe100%AviraTR/Dropper.Gen7
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe100%Joe Sandbox ML
            C:\ProgramData\rejdit_free_fire.exe100%Joe Sandbox ML
            C:\ProgramData\rejdit_free_fire.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\ProgramData\rejdit_free_fire.exe76%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe76%VirustotalBrowse

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.itVg5XA6eK.exe.440000.0.unpack100%AviraTR/Dropper.Gen7Download File

            Domains

            SourceDetectionScannerLabelLink
            h43vipforyou.ddns.net10%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            h43vipforyou.ddns.net100%Avira URL Cloudmalware
            h43vipforyou.ddns.net10%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            h43vipforyou.ddns.net
            		41.109.68.239
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            h43vipforyou.ddns.nettrue
            • 10%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            41.109.68.239
            		h43vipforyou.ddns.netAlgeria
            		36947ALGTEL-ASDZtrue

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:753416
            Start date and time:2022-11-24 19:41:09 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 39s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:itVg5XA6eK.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.adwa.spyw.evad.winEXE@9/5@4/1
            EGA Information:
            • Successful, ratio: 60%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 93.184.221.240
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
            • Execution Graph export aborted for target rejdit_free_fire.exe, PID 1280 because it is empty
            • Execution Graph export aborted for target rejdit_free_fire.exe, PID 644 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:42:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9add "C:\ProgramData\rejdit_free_fire.exe" ..
            19:42:29AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9add "C:\ProgramData\rejdit_free_fire.exe" ..
            19:42:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9add "C:\ProgramData\rejdit_free_fire.exe" ..
            19:42:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\rejdit_free_fire.exe

            Download File
            Process:C:\Users\user\Desktop\itVg5XA6eK.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):232960
            Entropy (8bit):6.66426413554523
            Encrypted:false
            SSDEEP:3072:HSuZ00DVrF1rVcCPP+Tl6Ws5cUYTMExjHSTdMTfNlx35eRPG+79IwGrpc:J/2TAcZyOjNlri7Ww
            MD5:8533EF6F79E259E9E5FE7C28F1FCD372
            SHA1:48C1F9B2A798A374B6E8C2E5FB655C19E5FA2ED3
            SHA-256:BBC8CABC1BA4F81D1EE316D3869ED8E61C91840CB533ABEE708A3099AB196470
            SHA-512:533FACB9E64028915336F7A7035E726409279309B05D2CF1E6DEF878513A85F49A9119F09E53BCC8371FF5BC8F91474B67934773E3C6A7AD12C3778FFA3F2697
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Joe Security
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\ProgramData\rejdit_free_fire.exe, Author: ditekSHen
            • Rule: njrat1, Description: Identify njRat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\ProgramData\rejdit_free_fire.exe, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\ProgramData\rejdit_free_fire.exe, Author: JPCERT/CC Incident Response Group
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 100%
            • Antivirus: Virustotal, Detection: 76%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R[vc.................V...6.......t... ........@.. ....................................@.................................\t..O.......d2........................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc...d2.......4...X..............@..@.reloc..............................@..B.................t......H.......,K..0)....../....................................................0..........r...p.....r...p...........r...p.....rG..p.....rg..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rQ..p...........*...0..;.......~....o....o....rS..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rS..p~....(....o......(....o.....

            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\itVg5XA6eK.exe.log

            Download File
            Process:C:\Users\user\Desktop\itVg5XA6eK.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):525
            Entropy (8bit):5.2874233355119316
            Encrypted:false
            SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
            MD5:80EFBEC081D7836D240503C4C9465FEC
            SHA1:6AF398E08A359457083727BAF296445030A55AC3
            SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
            SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rejdit_free_fire.exe.log

            Download File
            Process:C:\ProgramData\rejdit_free_fire.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):525
            Entropy (8bit):5.2874233355119316
            Encrypted:false
            SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
            MD5:80EFBEC081D7836D240503C4C9465FEC
            SHA1:6AF398E08A359457083727BAF296445030A55AC3
            SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
            SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
            Malicious:false
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe

            Download File
            Process:C:\ProgramData\rejdit_free_fire.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):232960
            Entropy (8bit):6.66426413554523
            Encrypted:false
            SSDEEP:3072:HSuZ00DVrF1rVcCPP+Tl6Ws5cUYTMExjHSTdMTfNlx35eRPG+79IwGrpc:J/2TAcZyOjNlri7Ww
            MD5:8533EF6F79E259E9E5FE7C28F1FCD372
            SHA1:48C1F9B2A798A374B6E8C2E5FB655C19E5FA2ED3
            SHA-256:BBC8CABC1BA4F81D1EE316D3869ED8E61C91840CB533ABEE708A3099AB196470
            SHA-512:533FACB9E64028915336F7A7035E726409279309B05D2CF1E6DEF878513A85F49A9119F09E53BCC8371FF5BC8F91474B67934773E3C6A7AD12C3778FFA3F2697
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: Joe Security
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: ditekSHen
            • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: JPCERT/CC Incident Response Group
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 100%
            • Antivirus: Virustotal, Detection: 76%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R[vc.................V...6.......t... ........@.. ....................................@.................................\t..O.......d2........................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc...d2.......4...X..............@..@.reloc..............................@..B.................t......H.......,K..0)....../....................................................0..........r...p.....r...p...........r...p.....rG..p.....rg..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rQ..p...........*...0..;.......~....o....o....rS..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rS..p~....(....o......(....o.....

            \Device\ConDrv

            Download File
            Process:C:\Windows\SysWOW64\netsh.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):313
            Entropy (8bit):4.971939296804078
            Encrypted:false
            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
            MD5:689E2126A85BF55121488295EE068FA1
            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
            Malicious:false
            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.66426413554523
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:itVg5XA6eK.exe
            File size:232960
            MD5:8533ef6f79e259e9e5fe7c28f1fcd372
            SHA1:48c1f9b2a798a374b6e8c2e5fb655c19e5fa2ed3
            SHA256:bbc8cabc1ba4f81d1ee316d3869ed8e61c91840cb533abee708a3099ab196470
            SHA512:533facb9e64028915336f7a7035e726409279309b05d2cf1e6def878513a85f49a9119f09e53bcc8371ff5bc8f91474b67934773e3c6a7ad12c3778ffa3f2697
            SSDEEP:3072:HSuZ00DVrF1rVcCPP+Tl6Ws5cUYTMExjHSTdMTfNlx35eRPG+79IwGrpc:J/2TAcZyOjNlri7Ww
            TLSH:4834BF821D4689E8EC7E1934102D1C4EC271DD3B85B62DDA9FCAF464C9B31E1606EA7F
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R[vc.................V...6.......t... ........@.. ....................................@................................

            File Icon

            Icon Hash:33f995df0f063033

            Static PE Info

            General

            Entrypoint:0x4074ae
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x63765B52 [Thu Nov 17 16:03:30 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x745c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x33264.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x54b40x5600False0.4898255813953488data5.58038459164499IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x80000x332640x33400False0.6070121951219513data6.562617643019481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x3c0000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x80e80x32f80Device independent bitmap graphic, 226 x 446 x 32, image size 201592
            RT_GROUP_ICON0x3b0680x14data
            RT_MANIFEST0x3b07c0x1e7XML 1.0 document, ASCII text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            192.168.2.341.109.68.2394969911772033132 11/24/22-19:42:23.177340TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772825563 11/24/22-19:42:23.319941TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772825563 11/24/22-19:43:29.909277TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772033132 11/24/22-19:42:56.789376TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772825564 11/24/22-19:42:28.743067TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772825564 11/24/22-19:43:01.745518TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772825563 11/24/22-19:42:56.884058TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772033132 11/24/22-19:43:29.805466TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772814856 11/24/22-19:43:29.909277TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970211772825563 11/24/22-19:44:02.683537TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497021177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772814860 11/24/22-19:43:44.045655TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970211772033132 11/24/22-19:44:02.583206TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497021177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772814860 11/24/22-19:42:28.743067TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970211772814856 11/24/22-19:44:02.683537TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)497021177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772814860 11/24/22-19:43:01.745518TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772825564 11/24/22-19:43:44.045655TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772814856 11/24/22-19:42:56.884058TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772814856 11/24/22-19:42:23.319941TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)496991177192.168.2.341.109.68.239

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 24, 2022 19:42:22.877197981 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:22.978322029 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:22.978456974 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:23.177340031 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:23.319797993 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:23.319941044 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:23.475019932 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:28.743067026 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:29.029788017 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:53.837865114 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:53.838188887 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.635041952 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.703151941 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.742235899 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:56.776344061 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:42:56.776509047 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.789376020 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.883812904 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:42:56.884057999 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.986124992 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:01.745517969 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:01.860215902 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:27.425684929 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:27.425894976 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.566560984 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.634968042 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:29.699424028 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.769546032 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:29.769810915 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.805465937 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.909079075 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:29.909276962 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:30.009236097 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:35.919970989 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:36.018954992 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:44.045655012 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:44.143486023 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:44:00.425215006 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:44:00.425400019 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.437489986 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.491133928 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.504364014 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:44:02.563647032 CET11774970241.109.68.239192.168.2.3
            Nov 24, 2022 19:44:02.563779116 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.583205938 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.682976007 CET11774970241.109.68.239192.168.2.3
            Nov 24, 2022 19:44:02.683537006 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.784684896 CET11774970241.109.68.239192.168.2.3

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 24, 2022 19:42:22.846184969 CET4997753192.168.2.38.8.8.8
            Nov 24, 2022 19:42:22.867410898 CET53499778.8.8.8192.168.2.3
            Nov 24, 2022 19:42:56.673460960 CET5784053192.168.2.38.8.8.8
            Nov 24, 2022 19:42:56.691323042 CET53578408.8.8.8192.168.2.3
            Nov 24, 2022 19:43:29.652144909 CET5799053192.168.2.38.8.8.8
            Nov 24, 2022 19:43:29.674014091 CET53579908.8.8.8192.168.2.3
            Nov 24, 2022 19:44:02.472203970 CET5238753192.168.2.38.8.8.8
            Nov 24, 2022 19:44:02.489883900 CET53523878.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Nov 24, 2022 19:42:22.846184969 CET192.168.2.38.8.8.80x2f59Standard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false
            Nov 24, 2022 19:42:56.673460960 CET192.168.2.38.8.8.80x243bStandard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false
            Nov 24, 2022 19:43:29.652144909 CET192.168.2.38.8.8.80xa7fdStandard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false
            Nov 24, 2022 19:44:02.472203970 CET192.168.2.38.8.8.80x8abaStandard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Nov 24, 2022 19:42:22.867410898 CET8.8.8.8192.168.2.30x2f59No error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false
            Nov 24, 2022 19:42:56.691323042 CET8.8.8.8192.168.2.30x243bNo error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false
            Nov 24, 2022 19:43:29.674014091 CET8.8.8.8192.168.2.30xa7fdNo error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false
            Nov 24, 2022 19:44:02.489883900 CET8.8.8.8192.168.2.30x8abaNo error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:19:41:59
            Start date:24/11/2022
            Path:C:\Users\user\Desktop\itVg5XA6eK.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\itVg5XA6eK.exe
            Imagebase:0x440000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            General

            Target ID:1
            Start time:19:42:06
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe"
            Imagebase:0xb0000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Joe Security
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\ProgramData\rejdit_free_fire.exe, Author: ditekSHen
            • Rule: njrat1, Description: Identify njRat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\ProgramData\rejdit_free_fire.exe, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\ProgramData\rejdit_free_fire.exe, Author: JPCERT/CC Incident Response Group
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 100%, ReversingLabs
            • Detection: 76%, Virustotal, Browse
            Reputation:low

            General

            Target ID:2
            Start time:19:42:14
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\netsh.exe
            Wow64 process (32bit):true
            Commandline:netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Imagebase:0x10f0000
            File size:82944 bytes
            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:3
            Start time:19:42:15
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff745070000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:13
            Start time:19:42:29
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe" ..
            Imagebase:0x670000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Reputation:low

            General

            Target ID:14
            Start time:19:42:37
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe" ..
            Imagebase:0x980000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Reputation:low

            General

            Target ID:15
            Start time:19:42:45
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe" ..
            Imagebase:0xd70000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Reputation:low

            Disassembly

            No disassembly