Windows Analysis Report
bUPt.exe

Machine Learning detection for sample

Source: Yara match	File source: bUPt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUPt.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1624089626.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUPt.exe PID: 1308, type: MEMORYSTR

Source: bUPt.exe

Joe Sandbox ML: detected

Source: bUPt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bUPt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Snort IDS alert for network traffic

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: bUPt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49735 -> 46.246.80.19:1994
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49735 -> 46.246.80.19:1994
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49735 -> 46.246.80.19:1994

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: patria.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: patria.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 46.246.80.19:1994

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O8KftrnDOnwUOdb&MD=ueCf+rxm HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O8KftrnDOnwUOdb&MD=ueCf+rxm HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: patria.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: bUPt.exe, 00000000.00000002.2051200133.0000000001164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: bUPt.exe, 00000000.00000002.2051200133.0000000001164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: bUPt.exe, Keylogger.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Source: Yara match	File source: bUPt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUPt.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1624089626.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUPt.exe PID: 1308, type: MEMORYSTR

Source: C:\Users\user\Desktop\bUPt.exe

Code function: 0_2_015D19F0

0_2_015D19F0

Source: bUPt.exe, 00000000.00000000.1624109089.0000000000A28000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient1994.exe4 vs bUPt.exe
Source: bUPt.exe, 00000000.00000002.2051200133.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs bUPt.exe
Source: bUPt.exe	Binary or memory string: OriginalFilenameClient1994.exe4 vs bUPt.exe

Source: bUPt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/1@5/5

Source: C:\Users\user\Desktop\bUPt.exe	Code function: 0_2_052622AA AdjustTokenPrivileges,		0_2_052622AA
Source: C:\Users\user\Desktop\bUPt.exe	Code function: 0_2_05262273 AdjustTokenPrivileges,		0_2_05262273

Source: C:\Users\user\Desktop\bUPt.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bUPt.exe.log

Source: C:\Users\user\Desktop\bUPt.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\bUPt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\bUPt.exe	Mutant created: \Sessions\1\BaseNamedObjects\f179c84c13a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: bUPt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUPt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\bUPt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: bUPt.exe

Virustotal: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\bUPt.exe "C:\Users\user\Desktop\bUPt.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1988,i,13026046254637796549,1595632273730165584,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\bUPt.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUPt.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bUPt.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUPt.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1988,i,13026046254637796549,1595632273730165584,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\bUPt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\bUPt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: bUPt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\bUPt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

.NET source code contains potential unpacker

Source: bUPt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: bUPt.exe, Program.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\bUPt.exe	Code function: 0_2_057D06CC push 69A2C3B0h; ret		0_2_057D06E2
Source: C:\Users\user\Desktop\bUPt.exe	Code function: 0_2_057D05A5 push 69A2C360h; ret		0_2_057D05BA

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\bUPt.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUPt.exe"
Source: C:\Users\user\Desktop\bUPt.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUPt.exe"			Jump to behavior

Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\bUPt.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bUPt.exe	Memory allocated: 5070000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\bUPt.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\bUPt.exe

Window / User API: threadDelayed 1537

Source: C:\Users\user\Desktop\bUPt.exe TID: 6888

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bUPt.exe

Thread delayed: delay time: 922337203685477

Source: bUPt.exe, 00000000.00000002.2051200133.0000000001164000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\bUPt.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\bUPt.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: bUPt.exe, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: bUPt.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: bUPt.exe, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Source: bUPt.exe, 00000000.00000002.2051527998.0000000003075000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bUPt.exe, 00000000.00000002.2051527998.0000000003075000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\bUPt.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\bUPt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: bUPt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUPt.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1624089626.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUPt.exe PID: 1308, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: bUPt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUPt.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1624089626.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUPt.exe PID: 1308, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	12 System Information Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bUPt.exe	75%	Virustotal		Browse
bUPt.exe	100%	Avira	TR/Dropper.Gen7
bUPt.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
patria.duckdns.org	17%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://go.microsoft.	0%	URL Reputation	safe
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
patria.duckdns.org	100%	Avira URL Cloud	phishing
patria.duckdns.org	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.com	142.251.40.206	true	false		high
www.google.com	142.250.80.36	true	false		high
patria.duckdns.org	46.246.80.19	true	true	17%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
patria.duckdns.org	true	17%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	bUPt.exe, 00000000.00000002.2051200133.0000000001164000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	bUPt.exe, 00000000.00000002.2051200133.0000000001164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.80.36	www.google.com	United States	15169	GOOGLEUS	false
46.246.80.19	patria.duckdns.org	Sweden	42708	PORTLANEwwwportlanecomSE	true
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436115
Start date and time:	2024-05-03 20:08:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bUPt.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/1@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.80.99, 142.250.72.110, 172.253.122.84, 34.104.35.123, 23.206.121.47, 192.229.211.108, 142.250.176.195, 142.250.80.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:3fb1b101-3543-43ab-a071-b57438ac152e	Get hash	malicious	Unknown	Browse
	http://pixelread.com	Get hash	malicious	Unknown	Browse
	https://url.us.m.mimecastprotect.com/s/rYQHCYEBgkHWJjw3h0H9oU?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse
	Copy of BARBOT CONSTRUCTION.xlsx	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://2fa.com-token-auth.com/XSzVobGY4SGJYQThyamZTeUpxNHFrS0k1MGw5ZEF1Z1R5MkJEL2pwVFdReFNiRG5lSEwvdkh1V1NHcFJZVXN2OVNuSWlCTS9rSlVOSmMxRUNmSmtLTHFQa045N1Fpc0t2Q2xQMkRmdVVNNjJ0LzVhRW9JZitQWkpLN1RRTHFVU3Mvd2diKzNlZUtnUi9MZjM0OHRUNUphZ2lZcWI1bGJyRWE1cHVMRzhZaXVhT1VZMjlEcmpWcTQxVi0tdFRROWJmUXFZMm1yQkVpNi0taGdOZXpUazJaaTZEUGxnZ1pIRnR0UT09?cid=1990623394	Get hash	malicious	Unknown	Browse
	https://bitli.pro/28QSa_c914f238	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	http://88mansession.com	Get hash	malicious	Unknown	Browse
	https://www.billinginquiry.dfinsolutions.com/	Get hash	malicious	Unknown	Browse
	Scanned from Xerox KwlawMultiftr.rtf	Get hash	malicious	HTMLPhisher	Browse
	Purchase_Order_1803075641.htm	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
patria.duckdns.org	bUHH.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.84.12
	xVcsGL5R1Nbh.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	bUBD.exe	Get hash	malicious	Njrat	Browse	46.246.14.22
	x5gJuYmvL7m2.exe	Get hash	malicious	Njrat	Browse	46.246.82.18
	bTFU.exe	Get hash	malicious	Njrat	Browse	46.246.14.2
	bTDk.exe	Get hash	malicious	Njrat	Browse	46.246.80.3
	bT6H.exe	Get hash	malicious	Njrat	Browse	46.246.12.4
	bT6q.exe	Get hash	malicious	Njrat	Browse	46.246.12.14
	bT5A.exe	Get hash	malicious	Njrat	Browse	46.246.80.9
	bT57.exe	Get hash	malicious	Njrat	Browse	46.246.80.9
google.com	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:3fb1b101-3543-43ab-a071-b57438ac152e	Get hash	malicious	Unknown	Browse	142.250.80.68
	http://pixelread.com	Get hash	malicious	Unknown	Browse	142.251.35.164
	https://url.us.m.mimecastprotect.com/s/rYQHCYEBgkHWJjw3h0H9oU?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	142.251.40.196
	Copy of BARBOT CONSTRUCTION.xlsx	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	142.251.41.4
	https://2fa.com-token-auth.com/XSzVobGY4SGJYQThyamZTeUpxNHFrS0k1MGw5ZEF1Z1R5MkJEL2pwVFdReFNiRG5lSEwvdkh1V1NHcFJZVXN2OVNuSWlCTS9rSlVOSmMxRUNmSmtLTHFQa045N1Fpc0t2Q2xQMkRmdVVNNjJ0LzVhRW9JZitQWkpLN1RRTHFVU3Mvd2diKzNlZUtnUi9MZjM0OHRUNUphZ2lZcWI1bGJyRWE1cHVMRzhZaXVhT1VZMjlEcmpWcTQxVi0tdFRROWJmUXFZMm1yQkVpNi0taGdOZXpUazJaaTZEUGxnZ1pIRnR0UT09?cid=1990623394	Get hash	malicious	Unknown	Browse	142.251.40.132
	https://bitli.pro/28QSa_c914f238	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	142.250.80.100
	http://88mansession.com	Get hash	malicious	Unknown	Browse	142.251.40.228
	https://www.billinginquiry.dfinsolutions.com/	Get hash	malicious	Unknown	Browse	142.250.65.196
	Scanned from Xerox KwlawMultiftr.rtf	Get hash	malicious	HTMLPhisher	Browse	142.250.80.100
	Purchase_Order_1803075641.htm	Get hash	malicious	HTMLPhisher	Browse	142.250.80.68

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PORTLANEwwwportlanecomSE	L31owFeEHg.elf	Get hash	malicious	Mirai	Browse	188.126.80.88
	ORDER-290424-007994PT.vbs	Get hash	malicious	WSHRat, AgentTesla	Browse	178.73.192.9
	bUHH.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.84.12
	bUHF.exe	Get hash	malicious	Njrat	Browse	46.246.84.12
	xkzdRi6nGpg3.exe	Get hash	malicious	Njrat	Browse	46.246.84.12
	Price request N#U00b0DEM23000199.js	Get hash	malicious	AsyncRAT, PureLog Stealer, RedLine	Browse	178.73.192.3
	xjXIE2ZFFSw4.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.10
	xjXIE2ZFFSw4.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.10
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	188.126.94.80
	xVcsGL5R1Nbh.exe	Get hash	malicious	Njrat	Browse	46.246.6.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:3fb1b101-3543-43ab-a071-b57438ac152e	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	https://url.us.m.mimecastprotect.com/s/rYQHCYEBgkHWJjw3h0H9oU?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	https://2fa.com-token-auth.com/XSzVobGY4SGJYQThyamZTeUpxNHFrS0k1MGw5ZEF1Z1R5MkJEL2pwVFdReFNiRG5lSEwvdkh1V1NHcFJZVXN2OVNuSWlCTS9rSlVOSmMxRUNmSmtLTHFQa045N1Fpc0t2Q2xQMkRmdVVNNjJ0LzVhRW9JZitQWkpLN1RRTHFVU3Mvd2diKzNlZUtnUi9MZjM0OHRUNUphZ2lZcWI1bGJyRWE1cHVMRzhZaXVhT1VZMjlEcmpWcTQxVi0tdFRROWJmUXFZMm1yQkVpNi0taGdOZXpUazJaaTZEUGxnZ1pIRnR0UT09?cid=1990623394	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	https://bitli.pro/28QSa_c914f238	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.51.58.94 20.12.23.50
	Purchase_Order_1803075641.htm	Get hash	malicious	HTMLPhisher	Browse	23.51.58.94 20.12.23.50
	aaaaaaaa.exe	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	http://www.maxottawa.ca	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	Order PS24S0040.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.51.58.94 20.12.23.50
	https://dweb.link/ipfs/bafkreihtggm5lijbcmgnngp56fgtaxfzglditdvyi6vhk6v4yi5nmurq2u?filename=Login.html#pharmacovigilance@daiichi-sankyo.co.uk	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	XTBox.exe	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50

Process:	C:\Users\user\Desktop\bUPt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	907
Entropy (8bit):	5.243019596074263
Encrypted:	false
SSDEEP:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
MD5:	48A0572426885EBDE53CA62C7F2E194E
SHA1:	035628CDF6276367F6C83E9F4AA2172933850AA8
SHA-256:	4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
SHA-512:	DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.807256628078615
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	bUPt.exe
File size:	32'768 bytes
MD5:	b0f3ca4450a2f669b927ae1517dac1e7
SHA1:	7390d9dcd74c4c40f536c8f490f0ba1580523c77
SHA256:	81c18c346ad57ff5c4dc07fe51b0e9411704cb9df362aefd6d6275f6f9660d47
SHA512:	de72099a2b301b683534a163a4b3c918a035d1f2f2e25c714e5133b3ad3a62b201b14a200b3459cfa19ae339ec9035eaedd26be27fd70fe1db5b11e84b7ca936
SSDEEP:	384:O0bUe5XB4e0XvObfixBr/QdWTStTUFQqzFqObbm:fT9BumTifrYfkbm
TLSH:	41E2F84A7BB94125C6BD2AFC8CB313210772E3478532EB5F5CDC88CA4F676D04255AEA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5f.................P... ......ng... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40676e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66351AD6 [Fri May 3 17:11:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x671c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4774	0x5000	6d2b3ed5c9408fe653eaedb82933da1c	False	0.475439453125	data	5.298284360002511	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x2b0	0x1000	b5a4502eac901202af7dd46d217cb488	False	0.077880859375	data	0.6886353743137013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x1000	34585954bedb30c5084980db7d41ad8f	False	0.0087890625	data	0.013126943721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8058	0x254	data			0.46308724832214765

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/24-20:09:02.028125	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49735	1994	192.168.2.4	46.246.80.19
05/03/24-20:09:17.544251	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49735	1994	192.168.2.4	46.246.80.19
05/03/24-20:09:02.415867	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49735	1994	192.168.2.4	46.246.80.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 20:08:48.399949074 CEST	49678	443	192.168.2.4	104.46.162.224
May 3, 2024 20:08:50.165585041 CEST	49675	443	192.168.2.4	173.222.162.32
May 3, 2024 20:08:59.776361942 CEST	49675	443	192.168.2.4	173.222.162.32
May 3, 2024 20:09:01.679516077 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:01.926908970 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:01.926981926 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:02.028125048 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:02.415805101 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:02.415867090 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:02.714296103 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:03.401492119 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.401530981 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.401629925 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.401850939 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.401865959 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.605643034 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.606256962 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.606271029 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.607464075 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.607527971 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.608624935 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.608690023 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.649167061 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:03.649188995 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:03.696054935 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:05.843946934 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:05.843996048 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:05.844091892 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:05.876461983 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:05.876486063 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.069367886 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.069494963 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.072040081 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.072050095 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.072350979 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.114228010 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.160114050 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.245925903 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.246170044 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.246221066 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.246247053 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.246267080 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.246267080 CEST	49739	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.246275902 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.246283054 CEST	443	49739	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.321109056 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.321182966 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.321257114 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.321661949 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.321677923 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.504960060 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.505090952 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.506345034 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.506351948 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.506593943 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.507757902 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.552120924 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.683634043 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.683712006 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.683782101 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.684508085 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.684525967 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:06.684535980 CEST	49740	443	192.168.2.4	23.51.58.94
May 3, 2024 20:09:06.684542894 CEST	443	49740	23.51.58.94	192.168.2.4
May 3, 2024 20:09:08.527920008 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:08.818316936 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:08.850182056 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:08.905215025 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:09.108863115 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:09.416616917 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:11.500722885 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:11.500773907 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:11.500891924 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:11.501957893 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:11.501966953 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:11.812422991 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:11.812582970 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:11.815962076 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:11.815967083 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:11.816206932 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:11.867487907 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:13.509922028 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:13.552115917 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.584918976 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:13.584995031 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:13.585052013 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:13.671849966 CEST	49738	443	192.168.2.4	142.250.80.36
May 3, 2024 20:09:13.671885967 CEST	443	49738	142.250.80.36	192.168.2.4
May 3, 2024 20:09:13.707978010 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708003998 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708010912 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708033085 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708045959 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708053112 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708069086 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:13.708085060 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708096981 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:13.708127022 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:13.708256960 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708304882 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:13.708309889 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708352089 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:13.708389997 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:14.052109003 CEST	49741	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:14.052120924 CEST	443	49741	20.12.23.50	192.168.2.4
May 3, 2024 20:09:17.544250965 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:17.919920921 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:24.667407990 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:24.679038048 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:25.129389048 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:30.303397894 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:30.351990938 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:30.522245884 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:30.832148075 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:33.339523077 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:33.385037899 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:33.965553999 CEST	1994	49735	46.246.80.19	192.168.2.4
May 3, 2024 20:09:34.010073900 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:34.427508116 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:34.469377041 CEST	49735	1994	192.168.2.4	46.246.80.19
May 3, 2024 20:09:50.929323912 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:50.929358959 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:50.929425955 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:50.930213928 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:50.930226088 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.237323999 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.237509966 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.241369009 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.241374969 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.241628885 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.250333071 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.292118073 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.533731937 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.533756971 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.533775091 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.533817053 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.533827066 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.533865929 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.533879995 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.535000086 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.535038948 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.535047054 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.535079002 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.535084009 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.535094976 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.535124063 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.535144091 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.542033911 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.542048931 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:09:51.542066097 CEST	49747	443	192.168.2.4	20.12.23.50
May 3, 2024 20:09:51.542072058 CEST	443	49747	20.12.23.50	192.168.2.4
May 3, 2024 20:10:03.363476992 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:03.363488913 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:03.363574028 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:03.363864899 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:03.363873959 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:03.553366899 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:03.569869995 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:03.569888115 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:03.570328951 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:03.583549023 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:03.583642960 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:03.640125990 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:13.544414043 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:13.544481993 CEST	443	49749	142.250.80.36	192.168.2.4
May 3, 2024 20:10:13.544538021 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:13.603730917 CEST	49749	443	192.168.2.4	142.250.80.36
May 3, 2024 20:10:13.603773117 CEST	443	49749	142.250.80.36	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 20:08:59.007039070 CEST	53	62188	1.1.1.1	192.168.2.4
May 3, 2024 20:08:59.027780056 CEST	53	52484	1.1.1.1	192.168.2.4
May 3, 2024 20:08:59.143109083 CEST	61434	53	192.168.2.4	8.8.8.8
May 3, 2024 20:08:59.143488884 CEST	54793	53	192.168.2.4	1.1.1.1
May 3, 2024 20:08:59.231730938 CEST	53	54793	1.1.1.1	192.168.2.4
May 3, 2024 20:08:59.233828068 CEST	53	61434	8.8.8.8	192.168.2.4
May 3, 2024 20:08:59.618660927 CEST	53	62298	1.1.1.1	192.168.2.4
May 3, 2024 20:09:01.474365950 CEST	51639	53	192.168.2.4	1.1.1.1
May 3, 2024 20:09:01.578093052 CEST	53	51639	1.1.1.1	192.168.2.4
May 3, 2024 20:09:03.306466103 CEST	62975	53	192.168.2.4	1.1.1.1
May 3, 2024 20:09:03.306586981 CEST	60085	53	192.168.2.4	1.1.1.1
May 3, 2024 20:09:03.399970055 CEST	53	60085	1.1.1.1	192.168.2.4
May 3, 2024 20:09:03.400573969 CEST	53	62975	1.1.1.1	192.168.2.4
May 3, 2024 20:09:17.848649979 CEST	53	63021	1.1.1.1	192.168.2.4
May 3, 2024 20:09:18.922211885 CEST	138	138	192.168.2.4	192.168.2.255
May 3, 2024 20:09:38.541044950 CEST	53	55750	1.1.1.1	192.168.2.4
May 3, 2024 20:09:58.584681988 CEST	53	59987	1.1.1.1	192.168.2.4
May 3, 2024 20:10:00.927587986 CEST	53	57919	1.1.1.1	192.168.2.4
May 3, 2024 20:10:27.129776955 CEST	53	50994	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 20:08:59.143109083 CEST	192.168.2.4	8.8.8.8	0x7819	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
May 3, 2024 20:08:59.143488884 CEST	192.168.2.4	1.1.1.1	0x4010	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
May 3, 2024 20:09:01.474365950 CEST	192.168.2.4	1.1.1.1	0xe055	Standard query (0)	patria.duckdns.org	A (IP address)	IN (0x0001)	false
May 3, 2024 20:09:03.306466103 CEST	192.168.2.4	1.1.1.1	0x1114	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 3, 2024 20:09:03.306586981 CEST	192.168.2.4	1.1.1.1	0xd0c0	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 3, 2024 20:08:59.231730938 CEST	1.1.1.1	192.168.2.4	0x4010	No error (0)	google.com	142.251.40.206	A (IP address)	IN (0x0001)	false
May 3, 2024 20:08:59.233828068 CEST	8.8.8.8	192.168.2.4	0x7819	No error (0)	google.com	172.217.4.46	A (IP address)	IN (0x0001)	false
May 3, 2024 20:09:01.578093052 CEST	1.1.1.1	192.168.2.4	0xe055	No error (0)	patria.duckdns.org	46.246.80.19	A (IP address)	IN (0x0001)	false
May 3, 2024 20:09:03.399970055 CEST	1.1.1.1	192.168.2.4	0xd0c0	No error (0)	www.google.com		65	IN (0x0001)	false
May 3, 2024 20:09:03.400573969 CEST	1.1.1.1	192.168.2.4	0x1114	No error (0)	www.google.com	142.250.80.36	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 18:09:06 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-03 18:09:06 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=219292 Date: Fri, 03 May 2024 18:09:06 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 18:09:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-03 18:09:06 UTC	456	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 Cache-Control: public, max-age=219261 Date: Fri, 03 May 2024 18:09:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-03 18:09:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 18:09:13 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O8KftrnDOnwUOdb&MD=ueCf+rxm HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-03 18:09:13 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b3710b72-6457-4ddd-ad9b-e96c2b59e4bf MS-RequestId: a321ce81-6c54-42d4-81be-b5400d27a4ad MS-CV: HWwpTFtJcEK24BMd.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 03 May 2024 18:09:13 GMT Connection: close Content-Length: 24490
2024-05-03 18:09:13 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-03 18:09:13 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 18:09:51 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O8KftrnDOnwUOdb&MD=ueCf+rxm HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-03 18:09:51 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: ec8beaba-9b0c-4079-808d-a3d5b028b48a MS-RequestId: de25eefa-e23f-4388-b5f6-2b191efacb90 MS-CV: 9fDD47sIgEugZi/x.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 03 May 2024 18:09:50 GMT Connection: close Content-Length: 25457
2024-05-03 18:09:51 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-03 18:09:51 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	20:08:51
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\bUPt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bUPt.exe"
Imagebase:	0xa20000
File size:	32'768 bytes
MD5 hash:	B0F3CA4450A2F669B927AE1517DAC1E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1624089626.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	20:08:56
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	20:08:57
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1988,i,13026046254637796549,1595632273730165584,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	20:09:33
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUPt.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	20:09:33
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true