General
-
Target
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
Size
9.0MB
-
Sample
220207-y9crfsghek
-
MD5
142b6b8c0ae513112a1579783d2ad5cb
-
SHA1
7f05045c4fe37c64efb8af7c23cdcafee37b38b5
-
SHA256
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
SHA512
c9b081aece3db9aae4053818e1d2c385661cc9c8f8effc2ef8786b5ba50ac1b2dd9ba6fb2d0722b7d3963eeda32c41dffd1fdd4dfa1b52fbbda0fdcb4af6ca39
Static task
static1
Behavioral task
behavioral1
Sample
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a.exe
Resource
win7-en-20211208
Malware Config
Extracted
vjw0rm
http://todoaqui.duckdns.org:7979
Extracted
njrat
0.7d
aaanoi
njhost.hopto.org:5553
5c66e3e0723ecdf0c3e307768c9cf0dd
-
reg_key
5c66e3e0723ecdf0c3e307768c9cf0dd
-
splitter
|'|'|
Targets
-
-
Target
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
Size
9.0MB
-
MD5
142b6b8c0ae513112a1579783d2ad5cb
-
SHA1
7f05045c4fe37c64efb8af7c23cdcafee37b38b5
-
SHA256
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
SHA512
c9b081aece3db9aae4053818e1d2c385661cc9c8f8effc2ef8786b5ba50ac1b2dd9ba6fb2d0722b7d3963eeda32c41dffd1fdd4dfa1b52fbbda0fdcb4af6ca39
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-