Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-t2hwaaag21
Target 8e027405c27400fc0c854b804f199eea27fcfe8a242bf3689658395d7530fe5a
SHA256 8e027405c27400fc0c854b804f199eea27fcfe8a242bf3689658395d7530fe5a
Tags
xtremerat persistence rat spyware upx hacked njrat trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e027405c27400fc0c854b804f199eea27fcfe8a242bf3689658395d7530fe5a

Threat Level: Known bad

The file 8e027405c27400fc0c854b804f199eea27fcfe8a242bf3689658395d7530fe5a was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx hacked njrat trojan evasion

Detect XtremeRAT payload

XtremeRAT

njRAT/Bladabindi

Njrat family

UPX packed file

Executes dropped EXE

Modifies Windows Firewall

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 16:33

Signatures

Njrat family

njrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-11-23 16:33

Reported

2022-11-23 18:05

Platform

win7-20221111-en

Max time kernel

202s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\كل العراق.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\كل العراق.exe

"C:\Users\Admin\AppData\Local\Temp\كل العراق.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

memory/1584-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

memory/1584-55-0x0000000010000000-0x000000001004D000-memory.dmp

memory/528-56-0x0000000010000000-0x000000001004D000-memory.dmp

memory/528-58-0x0000000000000000-mapping.dmp

memory/1584-60-0x0000000010000000-0x000000001004D000-memory.dmp

memory/528-61-0x0000000010000000-0x000000001004D000-memory.dmp

memory/528-62-0x0000000010000000-0x000000001004D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2022-11-23 16:33

Reported

2022-11-23 18:05

Platform

win10v2004-20221111-en

Max time kernel

197s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\كل العراق.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\كل العراق.exe

"C:\Users\Admin\AppData\Local\Temp\كل العراق.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 488

Network

Country Destination Domain Proto
N/A 20.189.173.13:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.238.23.254:80 tcp
N/A 8.238.23.254:80 tcp
N/A 8.238.23.254:80 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp

Files

memory/1120-132-0x0000000010000000-0x000000001004D000-memory.dmp

memory/4584-133-0x0000000000000000-mapping.dmp

memory/4584-134-0x0000000010000000-0x000000001004D000-memory.dmp

memory/1120-135-0x0000000010000000-0x000000001004D000-memory.dmp

memory/4584-136-0x0000000010000000-0x000000001004D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 16:33

Reported

2022-11-23 18:04

Platform

win7-20220812-en

Max time kernel

38s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\الادبي.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\الادبي.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\الادبي.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\الادبي.exe

"C:\Users\Admin\AppData\Local\Temp\الادبي.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

Network

N/A

Files

memory/2000-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

memory/2000-55-0x0000000074120000-0x00000000746CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 2dbe2b2f3e81131526c4beec1d1a575e
SHA1 dbae8830aafe88359e9150d5ca07f11c040b8692
SHA256 b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402
SHA512 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e

\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 2dbe2b2f3e81131526c4beec1d1a575e
SHA1 dbae8830aafe88359e9150d5ca07f11c040b8692
SHA256 b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402
SHA512 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e

memory/1352-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 2dbe2b2f3e81131526c4beec1d1a575e
SHA1 dbae8830aafe88359e9150d5ca07f11c040b8692
SHA256 b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402
SHA512 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 2dbe2b2f3e81131526c4beec1d1a575e
SHA1 dbae8830aafe88359e9150d5ca07f11c040b8692
SHA256 b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402
SHA512 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e

memory/2000-62-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/1352-63-0x0000000074120000-0x00000000746CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 16:33

Reported

2022-11-23 18:04

Platform

win10v2004-20220812-en

Max time kernel

113s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\الادبي.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\الادبي.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\الادبي.exe

"C:\Users\Admin\AppData\Local\Temp\الادبي.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

Network

Country Destination Domain Proto
N/A 20.50.201.200:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2016-132-0x0000000074F20000-0x00000000754D1000-memory.dmp

memory/2016-133-0x0000000074F20000-0x00000000754D1000-memory.dmp

memory/3716-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 2dbe2b2f3e81131526c4beec1d1a575e
SHA1 dbae8830aafe88359e9150d5ca07f11c040b8692
SHA256 b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402
SHA512 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 2dbe2b2f3e81131526c4beec1d1a575e
SHA1 dbae8830aafe88359e9150d5ca07f11c040b8692
SHA256 b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402
SHA512 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e

memory/2016-137-0x0000000074F20000-0x00000000754D1000-memory.dmp

memory/3716-138-0x0000000074F20000-0x00000000754D1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-11-23 16:33

Reported

2022-11-23 18:05

Platform

win7-20221111-en

Max time kernel

203s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\العلمي.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\العلمي.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\العلمي.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\العلمي.exe

"C:\Users\Admin\AppData\Local\Temp\العلمي.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp

Files

memory/1368-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 74526b46799abae6166733f30784d73b
SHA1 fc775da0774384e002314dd3b1e49f2c7dbd69d4
SHA256 e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205
SHA512 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27

\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 74526b46799abae6166733f30784d73b
SHA1 fc775da0774384e002314dd3b1e49f2c7dbd69d4
SHA256 e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205
SHA512 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 74526b46799abae6166733f30784d73b
SHA1 fc775da0774384e002314dd3b1e49f2c7dbd69d4
SHA256 e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205
SHA512 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27

memory/1508-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 74526b46799abae6166733f30784d73b
SHA1 fc775da0774384e002314dd3b1e49f2c7dbd69d4
SHA256 e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205
SHA512 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27

memory/1368-61-0x00000000746C0000-0x0000000074C6B000-memory.dmp

memory/1936-62-0x0000000000000000-mapping.dmp

memory/1508-63-0x00000000746C0000-0x0000000074C6B000-memory.dmp

memory/1508-65-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-11-23 16:33

Reported

2022-11-23 18:05

Platform

win10v2004-20221111-en

Max time kernel

194s

Max time network

211s

Command Line

"C:\Users\Admin\AppData\Local\Temp\العلمي.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\العلمي.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\العلمي.exe

"C:\Users\Admin\AppData\Local\Temp\العلمي.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

Network

Country Destination Domain Proto
N/A 40.77.2.164:443 tcp
N/A 51.105.71.136:443 tcp
N/A 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp
N/A 8.8.8.8:53 iraqiiraqi.no-ip.biz udp

Files

memory/204-132-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/204-133-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1620-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 74526b46799abae6166733f30784d73b
SHA1 fc775da0774384e002314dd3b1e49f2c7dbd69d4
SHA256 e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205
SHA512 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 74526b46799abae6166733f30784d73b
SHA1 fc775da0774384e002314dd3b1e49f2c7dbd69d4
SHA256 e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205
SHA512 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27

memory/5044-137-0x0000000000000000-mapping.dmp

memory/204-138-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1620-139-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1620-140-0x0000000074DD0000-0x0000000075381000-memory.dmp