General
-
Target
Express Vpn Cracked.exe
-
Size
36.3MB
-
Sample
210807-3ml51a74le
-
MD5
4544b2f40af00c61376c030f0e102d98
-
SHA1
05824e0ec140e56fb066f7fffbcd79b6dadfdbf1
-
SHA256
5ee49e2433a68b616317e190b5a53840e58455dfccda71e4b9f6e727a3b7a7fd
-
SHA512
785ee454b9ae81714241ee7df9fa38e6e5e5f7a377e4ebff6d33fdf86b51b3805f13ecb0a2cdf5e24be06ebe17d3d7dd349be83bb005284d56305475654220a0
Static task
static1
Behavioral task
behavioral1
Sample
Express Vpn Cracked.exe
Resource
win7v20210410
Malware Config
Extracted
njrat
0.7d
happy
alcachofa724-46937.portmap.host:46937
b2cfa0ba1b27be996957c11e1bf6a214
-
reg_key
b2cfa0ba1b27be996957c11e1bf6a214
-
splitter
|'|'|
Targets
-
-
Target
Express Vpn Cracked.exe
-
Size
36.3MB
-
MD5
4544b2f40af00c61376c030f0e102d98
-
SHA1
05824e0ec140e56fb066f7fffbcd79b6dadfdbf1
-
SHA256
5ee49e2433a68b616317e190b5a53840e58455dfccda71e4b9f6e727a3b7a7fd
-
SHA512
785ee454b9ae81714241ee7df9fa38e6e5e5f7a377e4ebff6d33fdf86b51b3805f13ecb0a2cdf5e24be06ebe17d3d7dd349be83bb005284d56305475654220a0
-
Poullight Stealer Payload
-
Registers COM server for autorun
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-