Malware Analysis Report

2024-10-10 10:10

Sample ID 240319-b6gjxaeg5t
Target 5602885050f75519abfe95d7501fc5b6.bin
SHA256 5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
Tags
arrowrat identifier rat agilenet agenttesla umbral asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b

Threat Level: Known bad

The file 5602885050f75519abfe95d7501fc5b6.bin was found to be: Known bad.

Malicious Activity Summary

arrowrat identifier rat agilenet agenttesla umbral asyncrat

Async RAT payload

AgentTesla payload

Agenttesla family

Asyncrat family

Detect Umbral payload

Umbral family

Arrowrat family

ArrowRat

Contains code to disable Windows Defender

Obfuscated with Agile.Net obfuscator

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-19 01:45

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Audio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Audio.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.BunifuButton.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.BunifuButton.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\9Ood5SWkbwPn.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\9Ood5SWkbwPn.exe

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\9Ood5SWkbwPn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/3048-0-0x0000014BA6690000-0x0000014BA66B8000-memory.dmp

memory/3048-2-0x00007FF848F90000-0x00007FF849A51000-memory.dmp

memory/3048-3-0x00007FF848F90000-0x00007FF849A51000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Audio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Audio.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20231129-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

160s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 172.217.168.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.Licensing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.Licensing.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1380 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\9Ood5SWkbwPn.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\9Ood5SWkbwPn.exe

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\9Ood5SWkbwPn.exe"

Network

N/A

Files

memory/2492-0-0x00000000009E0000-0x0000000000A08000-memory.dmp

memory/2492-1-0x000007FEF62D0000-0x000007FEF6CBC000-memory.dmp

memory/2492-2-0x000007FEF62D0000-0x000007FEF6CBC000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240215-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

165s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\FBSyChwp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\FBSyChwp.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Recovery.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\FBSyChwp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\FBSyChwp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.1.5.3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.BunifuButton.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.BunifuButton.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C793221-E592-11EE-8698-5E73522EB9B5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0571e489f79da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000653c73c9475fd5f1808b71d31139e16a839934143458b1f6d64ae94201dce04d000000000e8000000002000020000000ac58cddb2c80f297350cdd0499696cd46c253d02485dc90a2528cf1dadf260c790000000b77ea8bb854beeded3ce0c3794df6fb79104c4acd6ce5437189d186ec50c0a57379f185779f2d5a30a0df96c02fcf4e17738372f2dea60c365b250d5c09ff65b208fed05fe2465ed5703003bacd5d5e4f08923fd38d40c44a420a45823d53074a71a4987148bdd46e36e94c2c5e90845903168068b261c62a3ecfbd6c0145d1ce6b1673efd84b561c34d29a20862ea31400000002d0827f0983a4e2a1167f21890050be5edeee5b2092fbb93c968c0d9b24a2c7e2d3ae1711fced4de462bd687d4de49c6b2757352b0749827d56179d412ddbe60 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000008ea4956bfe0502a6607e999bbea671e34138c2950a2cbe5fbcef5a176623708000000000e8000000002000020000000801581361f343370bf2dd061b04804a035209016529658865cd565d15295e07820000000559032b93ba143e1183b71e23ef065690bc50c294fbd4cc3b2e4f716dc3bd2f040000000e87d5f24d9d6d31796de83f783a71cd7b1bb3e82ddfe249f39041d481f31a3750a8d5513f48bd556d22e354b4d880c7a9966ed2f5aef02ac4f5bd9e8d9630180 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416974627" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=NiptuneRAT.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarAB15.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07ee1d8125e4fe6916e94e3b5d371d73
SHA1 f570d490926084a05e1ff983a4c155d15c11cd04
SHA256 b1f9585b708c373a38d578923152dd2a95cce4f6a062cf3cb03fd41a6900394f
SHA512 037980ea3130aac9c60ef05aa3533df2840272ef9d886f87de316a658584477a55ed4bd16994c595218c04661a5734d9bac63ba85ae9585f1d18b4d9f56dc053

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f569affaa87df30fb0cdbab99c21482d
SHA1 fa3b0dba321a27e8182a1e32ba96ca6ab3aa7923
SHA256 0caf8b4e3aec800111342ff976bddea81bb55ad01ed08b6ca06ace63f5d827b1
SHA512 0b0a415477ac46c3265c27630c26793f8b1235dda89a0e070fd1b79b5a9d3b5a4c5e6ecc00d51e22d2459f193f382ca548d340193f1abcb87279126e5d47c967

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0359924ae3cf3ce4a496934612e658f
SHA1 00e2e5adc6c59a4edffef7aa426feefe6d98daba
SHA256 aceb36fea4a32d6da313401a509e002dc82f00f5877ddb6afcf791aec4507227
SHA512 217f251f4a4fcc1b249d3317942dcba37c6e453198c00e95a0f411d2622a3d23fb0986f6117e581e2c9aeb0c194f51d2000d93308f82205ed0599538aa7db52b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aa1d98e92b381b898e80fa0eced7405
SHA1 04e634baaf79e888e0e114cf994764fc1b13dea8
SHA256 6f5b1190dc31c92a6e71c7b162307f7815b029f4606dba949a45fa1df137c26f
SHA512 200aecf0c6e9810ca27c7358144c4d9c1aab95eaf16f17d601b10a9bc4e5037b7bc7d2fb925e14e2b7d6573e9fec556b4ac5077e1447b00d9e815dc42b9683f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fce7dfef3154b5ac3d44ea28c5b3bc50
SHA1 93bc9db3b86523a107f6761ed526460c35433c4f
SHA256 177bb6bca87d929008faed3fd5168b8627031f04d168dcaec43ef5ebc5bfec0d
SHA512 17c3d5784aed0c09baef5149302ef15e37eb0986725993da4ea28480538c9d1a2c2ce358ae98c7bd3e57ba5c1821ec162ba790099c6b4fb558d8adccdafbfa34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f548981d0df183a79dacc6fd516dff1
SHA1 f164b9e791efa99f2808bcb7bfcb0870ac77c02a
SHA256 1db67763ca1e895b2de40dc3423c8dfd3bd4414489e85ab8138aeeb8e12e0679
SHA512 f57b233498c462a008ecfade1ba0e32a4ebc8ffe7293989372d76008c516285ea114d463bf1df05d65af9bbfda720c941be213d74244f8749ce7dd0bca71d4b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5cb4622c78afea696dbc3edd7c3b4db
SHA1 e7e002d41844c99a647266296333bc6f1c9040a0
SHA256 7d096452919ebd452d1269d531f54a96070df34aa83a1db98341bf051bedf94b
SHA512 588674ecf51bc805a2c451a46341e9cb30ba168521c685b57fc86f4befaec77cf80bde9ae17e5224701f24a06a5e6d9ca99b8e7c6217cdca32564c3cb54ef572

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62f2ccf26c8e7b67925ef5da14bc79b0
SHA1 cf055545ab49746107716983e1d828a6a269ed0c
SHA256 7c29d41a924ef24f01c9aa2682b8d5a31f61b9264b9005add04475ee1b7924ef
SHA512 fd01728a4ebbe8cec498d67612c9894d332afb68699212ba70c9ad3bf1bac2d6627dcca6f94e8038f776a6a8a013a3ab131a4de6beb03f4e77a98daac36968b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 943b96e060501bc822c611d7c6e26485
SHA1 1731c6c76aa65a6080f61f92b74f237b7e73ee1c
SHA256 45b142e1532fc12a0992361d1df2abc8ecab64a3c848f57f8d9eeaadb0908c91
SHA512 1e9f20adf37acb00a7a4b022f4b272c13f003e03a38cea89c177144fcbb48473fb80e88811a79800552897d384f1819123ddf9f27c3a6d61f5384a9594870355

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 181d5c9f9d992be81d8b761e2eeaa31c
SHA1 5036ecacf0845111f699c65ea525b4a72de0855a
SHA256 f6795f6f0bac3f970b3fba86ad5d2ba73c561a0b2fa81fc377836f52a2a6024b
SHA512 a5244e9cef36621c86c7881f253cf14dd35880dc9cc32052817cfd7d0f408ce288eeb7824b98a6db2b2f9c0eb75dd2d97a3ea3c4de6c8826e1e6ca898d79c6a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5f12fe6914a3897bb89f4ef4377cb30
SHA1 a98441f996897ff0b5b6929971adfa13bd33beec
SHA256 06f5df42b78b52dc40651351a145480d91bc0e4b670d4355285e4b0c1910b390
SHA512 fd6f3a8ebde03eea4de7b0597af1a7d8775e596439c85f083f6978a41d9e3f103a832ff514288f0c28adef95197c35366486e65d5f92a7c7032f56b8f19f3b9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82b744b98afc84c5c2d898bff5d3a1e6
SHA1 87f036c3fa8da9272acb8bbd683f93d37b989b7f
SHA256 f48712a12b44f1e053daaf9ede7cfdd2dca65d3f89b5f6a25bc8e8724ce7eb17
SHA512 09b964be66476cd222bcdcc9edeb243bb782a0921da1706e22e88d5fcfc0fdd964704713a80180e592dc80d92e7169e3cd2bc34d05d537ef2f0dfbf6357eb617

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b651d78d1a9d417677b9d7d08d9678e
SHA1 bf7a5be89102b9dddce92b7f3bbbe7b0dc04321c
SHA256 d4d2b85f05f7ada00c4f2795c50a3c7489032a4e69e23a2cdc799225ac344b3d
SHA512 377cb5ccc2562e688912569883bd495ffbda6042c211ac110d41d098b0d266b469d51de36794581d992145c715b38febec0d540f87709aaac3436950559416bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 686ab50aedd8a5499f48be0f682f43c0
SHA1 74bc8456a1f3f758413137ae38ce4be053208f4a
SHA256 9481b3c4604d4bae99969cc78d9c77c667341caf4c89b29c5e47a7552390f853
SHA512 4513c390bcab6987127b9babfe10fc271a0ec3d0f7d385c6ec2ea0676b5e91fda440cd0e137ed5be30cf08ed777831272a09771d6c37c5e9c71cac6f3240649e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b31728536b4579b6a855535f6040922
SHA1 9a117fd1c7c47559ae6c6085c4a6bc98a8523ee3
SHA256 c7d3f829ecff5df76c7fe8e254600fcfd6a0d60ba0a82d7258c5d07898fa37ec
SHA512 55c43b0be937d05cb67a5a5ac34cbd8b09d1e9074cce97e6427dd70e78f198b35f37764971c08e21c9840eb413f8ddde17908892cbdff1c14e823dfbf1e3ad1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36ed263fcb83545071bac686972fda06
SHA1 e2d571293c2a987ebf46e84c83ea40b9b98b8ac9
SHA256 1e335b2195b5e9fac0cfef30ff5ce1ca7b471e4285061fa8924f5215d6f4d2ae
SHA512 253f79e520a087577b197e18e3d4ef4abb001bb7d77ab108ac1e3c2bfa1883af14eb1e6e73ab259129a9f4b13067fc2ac57a2c9ccc7cdd7a14604d4cf7ac8317

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba8574ea4d529112a3f1b2755303f9f2
SHA1 2ef1984dc4fc2ece3331e533619a5d72f7ac5b9c
SHA256 70ea82a3ab981f39a6b0acf2b689a76081d2ecabba7f2051c14993af26429fa2
SHA512 9a3bbb16193c56fb117b7543dd95ee40ce4d55c08d14813f6a97c6472519b54a725041c2bfd44aef253ecec5ed9be208e75539f8765b615c0b5c6c95b70c7665

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cdcb848466785bdd084010942a5e91e
SHA1 d3337ca1cba50a6d90395ed3de7bc6b4b958aa95
SHA256 381f40348b2c3bd028f92f528cd9196dcb8aa25f851e823b358d5160cf4ff3f6
SHA512 25f93ab7751b8adea47f5ea95e41a0e21ec4c56004b0e95e359cb159a8f700a566afa502c946aa853f8f39cec24ef8bea58cc49ee952f0447081fec4b925c6d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe

"C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\NiptuneRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4560-0-0x0000029E48D50000-0x0000029E4A67A000-memory.dmp

memory/4560-1-0x00007FF82D320000-0x00007FF82DDE1000-memory.dmp

memory/4560-2-0x0000029E64BD0000-0x0000029E64BE0000-memory.dmp

memory/4560-3-0x0000029E64BE0000-0x0000029E64E32000-memory.dmp

memory/4560-4-0x0000029E64F30000-0x0000029E65124000-memory.dmp

memory/4560-5-0x0000029E657A0000-0x0000029E658EE000-memory.dmp

memory/4560-6-0x0000029E658F0000-0x0000029E65904000-memory.dmp

memory/4560-7-0x0000029E64BD0000-0x0000029E64BE0000-memory.dmp

memory/4560-8-0x00007FF82D320000-0x00007FF82DDE1000-memory.dmp

memory/4560-9-0x0000029E6EAC0000-0x0000029E6F0A8000-memory.dmp

memory/4560-10-0x0000029E64BD0000-0x0000029E64BE0000-memory.dmp

memory/4560-11-0x0000029E64BD0000-0x0000029E64BE0000-memory.dmp

memory/4560-12-0x0000029E6E2A0000-0x0000029E6E2AA000-memory.dmp

memory/4560-13-0x00007FF82D320000-0x00007FF82DDE1000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.UI.WinForms.1.5.3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.Licensing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Tools\Bunifu.Licensing.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-19 01:45

Reported

2024-03-19 01:48

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main\Plugins\Recovery.dll,#1

Network

N/A

Files

N/A