njRAT | 792ad1aa7d04

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\kEecfMwgj\Desktop\792ad1aa7d042b3a51290003dd51befe14499c85103f02d75cb4a022e1713160.exe

Sample File

Binary

Also Known As	C:\Notepad.exe (Dropped File, Accessed File) C:\Program Files (x86)\Explower.exe (Dropped File, Accessed File) C:\Umbrella.flv.exe (Dropped File, Accessed File) C:\Users\kEecfMwgj\AppData\Local\Temp\server.exe (Accessed File) C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe (Dropped File, Accessed File) C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4b86d937e29b1b51011983fd5145bbWindows Update.exe (Dropped File, Accessed File) C:\Windows\system32\Explower.exe (Dropped File, Accessed File) Z:\Umbrella.flv.exe (Accessed File) c:\users\keecfmwgj\appdata\local\temp\server.exe (VM File, Dropped File, Accessed File) c:\users\keecfmwgj\appdata\roaming\microsoft\windows\start menu\programs\startup\bf4b86d937e29b1b51011983fd5145bbwindows update.exe (VM File, Dropped File, Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	93.00 KB
MD5	267f11aeaa62420506bf00912608fd80
SHA1	a2c07492f065dce7f90665284ded763f6ab838e9
SHA256	792ad1aa7d042b3a51290003dd51befe14499c85103f02d75cb4a022e1713160
SSDeep	1536:S5Kw0i6FHfpmcYM1t/2jEwzGi1dDDDPgS:S5oFHfpzYMj//i1dTo
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x00418ECE
Size Of Code	0x00017000
Size Of Initialized Data	0x00000200
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2023-02-10 14:31 (UTC+1)

Sections (2)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00016ED4	0x00017000	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.6
.reloc	0x0041A000	0x0000000C	0x00000200	0x00017200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x00018EA4	0x000170A4	0x00000000

Memory Dumps (20)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
792ad1aa7d042b3a51290003dd51befe14499c85103f02d75cb4a022e1713160.exe	1	0x01370000	0x0138BFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
792ad1aa7d042b3a51290003dd51befe14499c85103f02d75cb4a022e1713160.exe	1	0x01370000	0x0138BFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
server.exe	2	0x00D60000	0x00D7BFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
server.exe	2	0x00D60000	0x00D7BFFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
system.exe	7	0x00080000	0x0009BFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
bf4b86d937e29b1b51011983fd5145bbwindows update.exe	6	0x00EB0000	0x00ECBFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	6	0x00470000	0x00479FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
system.exe	7	0x00080000	0x0009BFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
server.exe	9	0x01260000	0x0127BFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
bf4b86d937e29b1b51011983fd5145bbwindows update.exe	6	0x00EB0000	0x00ECBFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	9	0x0528B000	0x0528FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x055AD000	0x055AFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x0520D000	0x0520FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x050AE000	0x050AFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x04BDD000	0x04BDFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x0491B000	0x0491FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x047BE000	0x047BFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x00349000	0x0034FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
server.exe	9	0x01260000	0x0127BFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
server.exe	9	0x01260000	0x0127BFFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
njRAT	njRAT	Backdoor	5/5	... Actions Show Ruleset Show Match

C:\autorun.inf

Dropped File

Setup Script

MIME Type	application/x-setupscript
File Size	55 Bytes
MD5	40b1630be21f39cb17bd1963cae5a207
SHA1	63c14bd151d42820dd45c033363fa5b9e1d34124
SHA256	f87e55f1a423b65fd639146f71f6027dbd4d6e69b65d9a17f1744774aa6589e1
SSDeep	3:It1KV2PHQCyK0x:e1KAwCyD
ImpHash	-

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

C:\Users\kEecfMwgj\AppData\Local\Temp\FransescoPast.txt

Dropped File

Text

MIME Type	text/plain
File Size	32 Bytes
MD5	c02b79764a0c7b6340586e225631ca4f
SHA1	46d73f2a3798de05160258fdccc3075c88a94039
SHA256	cbee1cd5673418c7c190256736061f58880db3d4b27be22f3e3b1118d5f87bcb
SSDeep	3:YyFuBk5/ml2T:Y8uBWY2T
ImpHash	-

C:\Users\kEecfMwgj\AppData\Roaming\app

Dropped File

Text

MIME Type	text/plain
File Size	5 Bytes
MD5	8f11404a507cfb98455f89a534077f73
SHA1	0716c668f504450353527aff1a6457b8348cf435
SHA256	f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb
SSDeep	3:3n:3
ImpHash	-

File Reputation Information

Verdict

Clean

Remarks (2/2)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information