njRAT,njRAT.07d | dc8fe70e383f | Files

Classifications

Keylogger Backdoor

Threat Names

njRAT njRAT.07d

Dynamic Analysis Report

Created on 2024-05-15T16:40:36+00:00

7075.exe

Windows Exe (x86-32)

Remarks (1/1)

Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\7075.exe

Sample File

Binary

»

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\server.exe (Accessed File) c:\users\rdhj0cnfevzx\appdata\local\temp\server.exe (Accessed File, Dropped File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	23.50 KB
MD5	1f929bbb0b8d519371b11209cf988913
SHA1	22aef5ccab0e472ec8630f7f906098db68532feb
SHA256	dc8fe70e383fd317b10d409433ecaf6339557dc8c4492f3d44fed40625aca089
SSDeep	384:/oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZIp:Y7O89p2rRpcnuX
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

»

Verdict

Malicious

PE Information

»

Image Base	0x00400000
Entry Point	0x0040747E
Size Of Code	0x00005600
Size Of Initialized Data	0x00000600
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-05-15 14:00 (UTC+2)

Sections (3)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00005484	0x00005600	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.57
.rsrc	0x00408000	0x00000240	0x00000400	0x00005800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.97
.reloc	0x0040A000	0x0000000C	0x00000200	0x00005C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.08

Imports (1)

»

mscoree.dll (1)

»

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0000744C	0x0000564C	0x00000000

Memory Dumps (18)

»

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
7075.exe	1	0x00860000	0x0086BFFF	Relevant Image		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
server.exe	2	0x00140000	0x0014BFFF	Relevant Image		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
7075.exe	1	0x00860000	0x0086BFFF	Process Termination		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
server.exe	2	0x00140000	0x0014BFFF	Final Dump		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x048D8000	0x048DFFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
buffer	2	0x0485A000	0x0485FFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
buffer	2	0x045CE000	0x045CFFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
buffer	2	0x004F6000	0x004FFFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
server.exe	2	0x00140000	0x0014BFFF	First Network Behavior		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
server.exe	5	0x00010000	0x0001BFFF	Relevant Image		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
server.exe	6	0x00470000	0x0047BFFF	Relevant Image		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
server.exe	6	0x00470000	0x0047BFFF	Process Termination		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x0528B000	0x0528FFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
buffer	5	0x0520A000	0x0520FFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
buffer	5	0x0466E000	0x0466FFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
buffer	5	0x001A6000	0x001AFFFF	First Network Behavior		32-bit	-		... Actions Go to Process Download Dump
server.exe	5	0x00010000	0x0001BFFF	First Network Behavior		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump
server.exe	5	0x00010000	0x0001BFFF	Final Dump		32-bit	-		... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

»

Rule Name	Rule Description	Classification	Score	Actions
njRAT	njRAT	Backdoor	5/5	... Actions Show Ruleset Show Match

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

WHOIS Domain Information

Screenshot