General
-
Target
2a8f04dd_by_Libranalysis
-
Size
43KB
-
Sample
210510-w27y5yjtzj
-
MD5
2a8f04ddc03f8c4db0821275619b55b4
-
SHA1
8bf21477518f4f33bbd9f1a0f013302be516ea53
-
SHA256
531471184d5c8eb4ec97c12059b5bbc8f397b3749033f7fd80405a1b560fbb17
-
SHA512
27eb081ce75ae5015adc7368b109fd82b6fa7dfab627a4faa0a8cc43aa83385f75906e463b1a0cde23490f0274c150578c923c2fe3e9d2eec9e26492fd717c43
Static task
static1
Behavioral task
behavioral1
Sample
2a8f04dd_by_Libranalysis.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2a8f04dd_by_Libranalysis.doc
Resource
win10v20210410
Malware Config
Extracted
http://meetthepriestessatl.com/August2020.exe
Extracted
njrat
0.7d
2021$$$
194.5.98.210:4040
0ef5de3f5b1fb89677ba03e41fa0a05a
-
reg_key
0ef5de3f5b1fb89677ba03e41fa0a05a
-
splitter
|'|'|
Targets
-
-
Target
2a8f04dd_by_Libranalysis
-
Size
43KB
-
MD5
2a8f04ddc03f8c4db0821275619b55b4
-
SHA1
8bf21477518f4f33bbd9f1a0f013302be516ea53
-
SHA256
531471184d5c8eb4ec97c12059b5bbc8f397b3749033f7fd80405a1b560fbb17
-
SHA512
27eb081ce75ae5015adc7368b109fd82b6fa7dfab627a4faa0a8cc43aa83385f75906e463b1a0cde23490f0274c150578c923c2fe3e9d2eec9e26492fd717c43
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-