popup

Report - get.php

njRAT backdoor Generic Malware PE File PE32 MZP Format .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.24 11:07 Machine s1_win7_x6401
Filename get.php
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
5.0
ZERO API file : clean
VT API (file) 66 detected (AIDetectMalware, Rbot, leZz, Windows, Njrat, Malicious, score, GenericFC, S19436243, GenericKD, unsafe, Save, Delf, CKWZ, GenericRXDR, Bladabindi, eimp, Weenloc, flagce, CLASSIC, ATRAPS, BINDER, SMBD, Real Protect, high, Emogen, Genome, bawa, Detected, ai score=80, efnz, SOC@572vwy, Scar, VVWT, Ruftar, R30190, Genetic, Static AI, Malicious PE, CoinMiner, DarkComet)
md5 4336581e9f9024a927e63607e28c5afe
sha256 df0dabfd12fa40342a45018032de660b94f83e928ecf40546e124109f0a94522
ssdeep 3072:QB5iVaXBDiVa0BgiVa9tJQ9lS+yJ6W4tJQ9lS+yJ6W4:Q5iVaxDiVa0giVavJQPk4JQPk4
imphash d59a4a699610169663a929d37c90be43
impfuzzy 6:5UAZpvRRGvRRBZ/OxDzEzBtJtH/JrE5A+mRlJHUUcWVjFKBXz6+/I3XNTRWWbzLi:HZNvGvBZGxMDGa3BjyfINRWeaLG1K
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 66 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (11cnts)

Level Name Description Collection
danger Win_Backdoor_njRAT_Zero Win Backdoor njRAT binaries (download)
danger Win_Backdoor_njRAT_Zero Win Backdoor njRAT binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info mzp_file_format MZP(Delphi) file format binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x405064 GetCurrentThreadId
 0x405068 SetCurrentDirectoryA
 0x40506c GetCurrentDirectoryA
 0x405070 ExitProcess
 0x405074 RtlUnwind
 0x405078 RaiseException
 0x40507c TlsSetValue
 0x405080 TlsGetValue
 0x405084 LocalAlloc
 0x405088 GetModuleHandleA
 0x40508c FreeLibrary
 0x405090 HeapFree
 0x405094 HeapReAlloc
 0x405098 HeapAlloc
 0x40509c GetProcessHeap
kernel32.dll
 0x4050a4 WriteFile
 0x4050a8 SizeofResource
 0x4050ac SetFilePointer
 0x4050b0 LockResource
 0x4050b4 LoadResource
 0x4050b8 GetWindowsDirectoryA
 0x4050bc GetTempPathA
 0x4050c0 GetSystemDirectoryA
 0x4050c4 FreeResource
 0x4050c8 FindResourceA
 0x4050cc CreateFileA
 0x4050d0 CloseHandle
shfolder.dll
 0x4050d8 SHGetFolderPathA
shell32.dll
 0x4050e0 ShellExecuteA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure