MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534
SHA3-384 hash: c348635fb414d1c55664b1e1526adacd06f6b670bbb2715666950c0db7fa807e470bab387735c89254498bbae2123c38
SHA1 hash: b8b0a9847342b7fd157588050cd9f1a87bb4acf7
MD5 hash: 652bb7ad7e37a9ad2b6f17ce0efd1124
humanhash: chicken-zulu-nitrogen-golf
File name:652bb7ad7e37a9ad2b6f17ce0efd1124.exe
Download: download sample
Signature njrat
Create hunting rule
File size:4'989'952 bytes
First seen:2025-07-18 03:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:rMKZ1Gnvnp6LcuFYi6WV92bDSDFF7zHsrdneNE9Prwkp60mS56xC:51GROcuFL6WX3MpeNUTwkc0ZI
TLSH T1E536330AA7AD03D7DD6463B419F600A72ABB7DD05798C683460BF84D7F61898EA34F13
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
45.142.122.114:7705

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.142.122.114:7705 https://threatfox.abuse.ch/ioc/1557909/

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
652bb7ad7e37a9ad2b6f17ce0efd1124.exe
Verdict:
Malicious activity
Analysis date:
2025-07-18 03:11:26 UTC
Tags:
lumma stealer amadey botnet loader auto-reg rdp redline metastealer gcleaner stealc arch-exec auto generic aurotun evasion auto-startup rat remote purelogs purecrypter miner njrat bladabindi telegram
Link:
https://app.any.run/tasks/21f6aae8-5c1e-4359-94c0-1e80a58ed0b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15143/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6879bb4f2f623871a5ef6c0b
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Launching a service
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB explorer fingerprint installer lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6879bb557bc45bdee1b078b4/reports/ab2637a0-61d0-490b-9804-04345d4d0bc1/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c389cd35-ae1f-4e87-9a33-81fcad0bd9e7
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1739326
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1739326 Sample: P92nZw7178.exe Startdate: 18/07/2025 Architecture: WINDOWS Score: 100 138 vervzv.xyz 2->138 140 greqjfu.xyz 2->140 142 8 other IPs or domains 2->142 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Antivirus detection for dropped file 2->162 166 15 other signatures 2->166 12 P92nZw7178.exe 1 4 2->12         started        15 suker.exe 2->15         started        19 cUZs5FgA.exe 2->19         started        21 8 other processes 2->21 signatures3 164 Performs DNS queries to domains with low reputation 140->164 process4 dnsIp5 122 C:\Users\user\AppData\Local\...\2i5888.exe, PE32 12->122 dropped 124 C:\Users\user\AppData\Local\...\1Z49x6.exe, PE32 12->124 dropped 23 2i5888.exe 6 12->23         started        27 1Z49x6.exe 12->27         started        146 176.46.157.50, 49716, 49719, 49721 ESTPAKEE Iran (ISLAMIC Republic Of) 15->146 148 176.46.157.32, 49720, 49722, 49728 ESTPAKEE Iran (ISLAMIC Republic Of) 15->148 126 C:\Users\user\AppData\Local\...\0m410bx.exe, PE32 15->126 dropped 128 C:\Users\user\AppData\Local\...56Hmst.exe, PE32 15->128 dropped 130 C:\Users\user\AppData\Local\...\gwerfmJ.exe, PE32 15->130 dropped 132 5 other malicious files 15->132 dropped 152 Contains functionality to start a terminal service 15->152 154 Binary is likely a compiled AutoIt script file 19->154 30 cmd.exe 19->30         started        32 K26GehJt.exe 19->32         started        34 WfGckAhA.exe 19->34         started        36 2 other processes 19->36 150 127.0.0.1 unknown unknown 21->150 156 Changes security center settings (notifications, updates, antivirus, firewall) 21->156 file6 signatures7 process8 dnsIp9 108 C:\3SCjZOO\cUZs5FgA.exe, PE32 23->108 dropped 110 C:\3SCjZOO\H4ZoOM4E.exe, PE32 23->110 dropped 180 Antivirus detection for dropped file 23->180 182 Multi AV Scanner detection for dropped file 23->182 38 cUZs5FgA.exe 23->38         started        144 steamcommunity.com 23.204.10.89, 443, 49712 AKAMAI-ASUS United States 27->144 184 Detected unpacking (changes PE section rights) 27->184 186 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->186 188 Tries to evade debugger and weak emulator (self modifying code) 27->188 194 3 other signatures 27->194 190 Suspicious powershell command line found 30->190 41 powershell.exe 30->41         started        43 conhost.exe 30->43         started        45 cmd.exe 32->45         started        192 Contains functionality to start a terminal service 34->192 47 conhost.exe 36->47         started        49 H4ZoOM4E.exe 36->49         started        51 conhost.exe 36->51         started        53 schtasks.exe 36->53         started        file10 signatures11 process12 signatures13 168 Antivirus detection for dropped file 38->168 170 Multi AV Scanner detection for dropped file 38->170 172 Binary is likely a compiled AutoIt script file 38->172 174 Found API chain indicative of sandbox detection 38->174 55 K26GehJt.exe 15 38->55         started        59 cmd.exe 1 38->59         started        61 WfGckAhA.exe 4 38->61         started        69 2 other processes 38->69 176 Loading BitLocker PowerShell Module 41->176 178 Uses cmd line tools excessively to alter registry or file data 45->178 63 reg.exe 45->63         started        65 conhost.exe 45->65         started        67 nircmd.exe 45->67         started        71 2 other processes 45->71 process14 file15 112 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 55->112 dropped 114 C:\Users\user\AppData\Local\...\cecho.exe, PE32 55->114 dropped 116 C:\Users\user\AppData\Local\...116SudoLG.exe, PE32+ 55->116 dropped 120 2 other malicious files 55->120 dropped 196 Multi AV Scanner detection for dropped file 55->196 73 cmd.exe 55->73         started        198 Suspicious powershell command line found 59->198 200 Uses cmd line tools excessively to alter registry or file data 59->200 202 Bypasses PowerShell execution policy 59->202 206 2 other signatures 59->206 76 H4ZoOM4E.exe 3 59->76         started        79 conhost.exe 59->79         started        118 C:\Users\user\AppData\Local\...\suker.exe, PE32 61->118 dropped 204 Contains functionality to start a terminal service 61->204 81 suker.exe 61->81         started        83 Conhost.exe 63->83         started        85 powershell.exe 69->85         started        87 conhost.exe 69->87         started        89 conhost.exe 69->89         started        91 schtasks.exe 69->91         started        signatures16 process17 file18 208 Uses cmd line tools excessively to alter registry or file data 73->208 93 chcp.com 73->93         started        96 cmd.exe 73->96         started        98 conhost.exe 73->98         started        102 11 other processes 73->102 134 C:\3SCjZOO\WfGckAhA.exe, PE32 76->134 dropped 136 C:\3SCjZOO\K26GehJt.exe, PE32 76->136 dropped 210 Multi AV Scanner detection for dropped file 81->210 212 Contains functionality to start a terminal service 81->212 214 Loading BitLocker PowerShell Module 85->214 100 Conhost.exe 87->100         started        signatures19 process20 signatures21 216 Queries memory information (via WMI often done to detect virtual machines) 93->216 104 Conhost.exe 93->104         started        106 tasklist.exe 96->106         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/652bb7ad7e37a9ad2b6f17ce0efd1124
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-15 06:21:52 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpbgdimmhncu2xlvqaosxhjuza2zklwauuxgumsxclpiksxqyu2a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:njrat family:redline family:stealc family:xenorat botnet:9fa1e2 botnet:cause botnet:test7 botnet:tototo defense_evasion discovery execution infostealer persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250718-dpnyrsvkz5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of web browsers
Themida packer
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect XenoRat Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
RedLine
RedLine payload
Redline family
Stealc
Stealc family
XenorRat
Xenorat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://bitjbpc.top/anvx
https://prvqhm.shop/zaus
https://sorrij.top/adjh
https://bardj.xyz/tieq
https://annwt.xyz/xkan
https://ungryo.shop/gnbw
https://greqjfu.xyz/uhbf
https://vervzv.xyz/xmgr
https://dryzc.xyz/apxe
https://skdgh.top/riwq
https://gigohe.top/diau
https://unxyng.top/zpld
https://trbxlj.top/atiw
https://blihlo.shop/atkg
https://gehkmx.top/xkaj
https://sacrp.top/amnt
https://dktnd.top/xuqi
http://176.46.157.50
http://45.141.233.187
78.141.210.201:27221
82.147.84.124:1987
78.141.210.201
Verdict:
Malicious
Tags:
stealer redline
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/f97da13b-5312-4e04-87ae-bf0571d1efc4
Unpacked files
SH256 hash:
9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534
MD5 hash:
652bb7ad7e37a9ad2b6f17ce0efd1124
SHA1 hash:
b8b0a9847342b7fd157588050cd9f1a87bb4acf7
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
93ac2954d199fc2d1f1ebfa95f2befebe1b7f0c1a0ce614ba635400cc964b39e
MD5 hash:
c0c696c66297a0495ad940b31635671f
SHA1 hash:
5e42a4cc42157437d59eeb39ce3cf765d7013ae6
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
816fefaea41ece6dbb69f18793ec3d0c1a0338ab9d27ae23a24806939eb03090
MD5 hash:
a92d024e5ff515bcc6f2546b507c431b
SHA1 hash:
4fedd4dfd15435c8a675f91c3b6b4c73c525c2bf
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
0d8617d130d031c76ffb079dfac4acc10ba13e7f11f2679d044d510ca366fbb7
MD5 hash:
5a62a9b572dc34946bb26b72197b08cd
SHA1 hash:
1d1df9cf715a277c790f5f138276225b2f10d8ff
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
a4b537703922b88d08659a4255406572e0aab6b060d313adbdfba4e15b90da74
MD5 hash:
ff36139eee8553f6054cb481d95bf8f1
SHA1 hash:
86f3bb841912fa6975f4da9879d9a40c36d965b8
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
47538cc60363fee95c107ea1f856eddcff98fde972e61ef879b6816eecd2db6b
MD5 hash:
36bc0bedba3554f4fdc7e8704adf3640
SHA1 hash:
dee0b3698037c71b934f6e2392e27798412e3068
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
fb5928cbe4c116a8f83195df9fa04b866da0073d3ff0cc4333b3ca60ed264bec
MD5 hash:
4d97135e5b0b0285b4ec778020551dcc
SHA1 hash:
41774426d0ae2af3ab3397b1c0c5c7e28c7c7759
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
SH256 hash:
bd1f4c1b3d7bb873accf04236da2848fb093c3457a3d1d4eb05986aeeebc420a
MD5 hash:
d23dbe0f8cbafb87033b9a7f01472ce3
SHA1 hash:
1c621b91969feead4e4531a93167d9d559030998
Link:
https://www.unpac.me/results/19c997d3-694f-4e8e-b1fb-637e4f3ca5ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Cryptominer_Xmrig_f9516741
Create hunting rule
Author:Elastic Security
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Cryptominer_Generic_f53cfb9b
Create hunting rule
Author:Elastic Security
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:xmrig_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15143/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments