General
-
Target
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
Size
9.0MB
-
Sample
220207-y9crfsghek
-
MD5
142b6b8c0ae513112a1579783d2ad5cb
-
SHA1
7f05045c4fe37c64efb8af7c23cdcafee37b38b5
-
SHA256
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
SHA512
c9b081aece3db9aae4053818e1d2c385661cc9c8f8effc2ef8786b5ba50ac1b2dd9ba6fb2d0722b7d3963eeda32c41dffd1fdd4dfa1b52fbbda0fdcb4af6ca39
Malware Config
Extracted
vjw0rm
http://todoaqui.duckdns.org:7979
Extracted
njrat
0.7d
aaanoi
njhost.hopto.org:5553
5c66e3e0723ecdf0c3e307768c9cf0dd
-
reg_key
5c66e3e0723ecdf0c3e307768c9cf0dd
-
splitter
|'|'|
Targets
-
-
Target
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
Size
9.0MB
-
MD5
142b6b8c0ae513112a1579783d2ad5cb
-
SHA1
7f05045c4fe37c64efb8af7c23cdcafee37b38b5
-
SHA256
8d0ccea5465761b45f1f952575e8cd533c2c4d34b37f26daa40ac0cfec960a5a
-
SHA512
c9b081aece3db9aae4053818e1d2c385661cc9c8f8effc2ef8786b5ba50ac1b2dd9ba6fb2d0722b7d3963eeda32c41dffd1fdd4dfa1b52fbbda0fdcb4af6ca39
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-