General
-
Target
TraderansOrder-NO-046-202_12072021.xlsm
-
Size
37KB
-
Sample
210712-87hcab78ps
-
MD5
f83fd3b81e2017c59108f8b678b0fbfe
-
SHA1
15a026231075b59abfb4cfabdbfdfb096575d355
-
SHA256
2f1a1876ace64c903d59ad47f1b99fbd622caa4968b238e69bd1d42b7b9b945c
-
SHA512
93a6a5803c99be346397a94148de27650413d7b032f5f661c59f8e39153d94d314520dd5b068dbb777038bd46810f5e100bf5b0d5e0a3d41f51a1951e6217dd0
Behavioral task
behavioral1
Sample
TraderansOrder-NO-046-202_12072021.xlsm
Resource
win7v20210410
Malware Config
Extracted
http://iurl.vip/nulvn
Extracted
njrat
0.7d
2021$$$
194.5.98.210:4040
0ef5de3f5b1fb89677ba03e41fa0a05a
-
reg_key
0ef5de3f5b1fb89677ba03e41fa0a05a
-
splitter
|'|'|
Targets
-
-
Target
TraderansOrder-NO-046-202_12072021.xlsm
-
Size
37KB
-
MD5
f83fd3b81e2017c59108f8b678b0fbfe
-
SHA1
15a026231075b59abfb4cfabdbfdfb096575d355
-
SHA256
2f1a1876ace64c903d59ad47f1b99fbd622caa4968b238e69bd1d42b7b9b945c
-
SHA512
93a6a5803c99be346397a94148de27650413d7b032f5f661c59f8e39153d94d314520dd5b068dbb777038bd46810f5e100bf5b0d5e0a3d41f51a1951e6217dd0
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Suspicious use of SetThreadContext
-