Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

769FE46D5321BD9661CDCF55FD63BB859A04435D4E110.exe

Status: finished
Submission Time: 2021-08-24 01:36:08 +02:00
Malicious
Trojan
Spyware
Evader
njRat

Comments

Tags

  • exe
  • njrat
  • RAT

Details

  • Analysis ID:
    470301
  • API (Web) ID:
    837870
  • Analysis Started:
    2021-08-24 01:36:09 +02:00
  • Analysis Finished:
    2021-08-24 01:52:45 +02:00
  • MD5:
    3d824c8c17957d261aaece5ee53047f3
  • SHA1:
    22be79dd301c9e317d30f9bbbe2d52deb607a934
  • SHA256:
    769fe46d5321bd9661cdcf55fd63bb859a04435d4e110eb27d20682a6a2c39b5
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report
malicious
Score: 47/64
Open Full Report
malicious
Score: 38/38
malicious
Score: 28/29
malicious

IPs

IP Country Detection
192.169.69.26
 United States

Domains

Name IP Detection
hackerguru.duckdns.org
 192.169.69.26
hackerguru.ddns.net
 0.0.0.0

URLs

Name Detection
http://ziczac.it/a/login/?ReturnUrl=
http://big5.southcn.com/gate/big5/
http://www.robtex.com/dns/arribada.ebay.$
Click to see the 97 hidden entries
http://www.reddit.com/domain/en.
http://tubeurl.com/
http://www.relatelist.com/
http://www.americanjobs.com/my.job/jobs/?jobTitle=Client.Services.Associate&jobCompany=Indeed&am
http://www.stihi.ru/go/$www.
http://news.baidu.com/ns?cl=2&rn=20&tn=news&word=
http://4vn.eu/forum/vcheckvirus.php?url=http://www.
http://www.alexa.com/site/linksin/27.cn/&url=
http://www.admin173.com/tool/indexed.asp?url=
http://www.saveonpadfolios.com/
http://www.pbnation.com/out.php?l=http://www.
http://pagerank.uzeik.net/?u=$www.
http://ekodok.com/search/gadis
http://americatelefonos.com/americatelefonos/americatelefonos.php?u=www.
http://nebulousrising.guildlaunch.com/tools/index.php?display_url=
http://www.alexa.com/site/linksin/zibolan.com/&url=
http://www.alexa.com/site/linksin/letao.com/&url=
http://subversion.tigris.org/ds/viewForumSummary.do?dsForumId=445&viewType=author&posterId=G
http://www.cirip.ro/post/?url=
http://www.seowen.com/plus/search.php?kwtype=0&keyword=
http://www.robtex.com/dns/broker.wip3.$
http://www.faviki.com/person/rhaze/website/
http://worth.buxcon.eu/www.
https://www.google.com.pg/?#q=
http://www.trackword.biz/s/
http://www.rnasports.co.uk/
http://www.radabg.com/url/
http://www.postyourcameltoe.com/
http://www.alexa.com/site/linksin/tutuwu.com//&url=
http://www.boostersite.com/vote-1387-1371.html?adresse=
http://pr.toolsky.com/pr.asp?domain=
http://fileshunt.com/download.php?id=1548390&q=fhm.april.2009.pdf&file=11.FHM.Philippines.No
http://www.i-dentity.com/
http://www.orlandosentinel.com/search/dispatcher.front?page=1&target=google&Query=site:/
http://www.net-temps.com/webapps/search/jobs.do?searchTerms=Apple.iPhone.3GS.
http://www.dealighted.com/?search=free
http://www.alexa.com/site/linksin/882suncity.net/&url=
http://mrtaggy.com/search?q=maps
http://www.alexa.com/site/linksin/guohaojuanlianmen.cn/&url=
http://www.wordsjunction.com/word/
http://www.robtex.com/dns/6apart.$
http://ca.mymistake.info/
http://asiantelephones.com/asiantelephones/asiantelephones.php?u=www.
http://www.scopesite.net/
http://www.architectureweek.com/cgi-bin/wlc?http://www.
http://zzxgj.com/index.php?tl=keyword_rank&action=do&keyword=%CD%F8%D5%BE&kw=
http://www.siteworthit.com/websiteworth.cfm?siteq=
http://www.directorystorm.com/?url=
http://www.liberec2009.com/
http://www.peeplo.co.uk/domain/
http://www.tlma.cn/tools/google/?q=
http://www.domainforum.in/
http://www.sogou.com/web?query=link%3Aweather.$www.
http://www.savevid.com/?url=http://www.
http://sagoolapi.toypark.in/index.php?k=%E3%82%BF%E3%83%BC%E3%83%9F%E3%83%8D%E3%83%BC%E3%82%BF%E
http://www.mefasol.com/artist/vincent_900620/profiles.$
http://www.zapin.net/externalURL/externLinkFrame_Main.asp?externalURL=http://www.
http://domainbyip.com/domaintoip/wptest.profiles.
http://www.wo55.com/alexa/?url=
http://validator.w3.org/check?uri=
http://www.alexa.com/site/linksin/client-consult.com/&url=
http://vkrugudruzei.ru/x/button/login?returnUrl=
http://www.25212.com/post/alexa/?url=
http://www.sooule.com/Search.aspx?all=www.
http://www.alexa.com/site/linksin/baoma7.com/&url=
http://jillemeryart.com/
http://www.cre8asiteforums.com/
http://www.robtex.com/dns/6apart.
http://www.infobel.com/en/world/Teldir.aspx?url=http://www.
http://www.robtex.com/dns/build-
http://www.seo-contest.nl/
http://www.dealighted.com/all/search/page-7/Apple
https://www.google.ge/?#q=
http://www.myiptest.com/staticpages/index.php/Reverse-DNS-Lookup/miseriacordia.
http://www.websitetrafficrankings.com/alexa-traffic.php?for=
http://www.websiteaccountant.nl/www.travel./
http://www.robtex.com/dns/bulletin.
http://www.myiptest.com/staticpages/index.php/Reverse-DNS-Lookup/wildatheart.
http://news.sogou.com/news?query=site%3Awww.
http://megastreaming.org/player/?q=http://megastreaming.org/player/?q=http%3A%2F%2F
http://www.sogou.com/web?query=
http://www.diigo.com/user/freshout?domain=
http://costaricacenter.com/costarica/go.php?url=hotbot.
http://www.sogou.com/web?query=site%3Aindexed.$www.
http://www.keywordspy.com/organic/domain.aspx?q=edcommunity.
http://hi.websiteworths.com/
http://www.healthhaven.com/Dual_X-ray_Absorptometry_site:
http://www.folkd.com/url/vsonnurs.blog.
http://www.seaportrealtors.com/frame.shtml?http://www.
http://www.estimatedwebsite.co.uk/
http://www.robtex.com/dns/activities.$
http://search.msn.com/results.aspx?
http://www.lmgestion.net/
http://www.gpirate.com/search?src=gpirate&hl=en&q=
http://www.alexa.com/site/linksin/zhaopin.com/&url=
http://www.worthstat.com/
http://www.dealighted.com/all/search/page-14/iPod

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\blogger.exe
 PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
 #
C:\Users\user\AppData\Local\Temp\script.vbs
 ASCII text
 #
C:\Users\user\AppData\Local\Temp\Server1.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
Click to see the 30 hidden entries
C:\Users\user\AppData\Local\Temp\Server4.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\Server6.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\Simple Backlink Indexer.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\svhost2.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\svhost6.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\svhost4.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_leooiuv4.nt1.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gswy1utg.bwi.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt1oezby.cbd.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjj14ie3.ztn.psm1
 very short file (no magic)
 #
C:\Users\user\Documents\20210824\PowerShell_transcript.675052.4uYwS3Xn.20210824013718.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210824\PowerShell_transcript.675052.ESjLN_ML.20210824013712.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210824\PowerShell_transcript.675052.H1NYyX8Y.20210824013714.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210824\PowerShell_transcript.675052.JYCnAQpj.20210824013711.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210824\PowerShell_transcript.675052.MlAp7Xoo.20210824013714.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210824\PowerShell_transcript.675052.T57Pp1pU.20210824013722.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2im0rnk.ydj.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksm0ddf2.5hi.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server1.exe.log
 ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkmj32pi.muz.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5i31ymt.403.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddahowch.d0j.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpkrmxy0.rs3.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3d4iv4kw.fbr.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0h2az4wk.rzn.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\Protect4a647d98.dll
 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server6.exe.log
 ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server4.exe.log
 ASCII text, with CRLF line terminators
 #