General
-
Target
17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38
-
Size
11.1MB
-
Sample
220222-svnbraadg9
-
MD5
a35d415ee0aff1e2ec654aae84a16acf
-
SHA1
cc4aa96dcc764ad63847bd741740a1e76cc1c91f
-
SHA256
17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38
-
SHA512
1c757e1b92d0b9f032716c1db16976ac63c75cc489769a3e16bc7bd24971d66d62360b8c51922d6c76138ea7e02b1a0596372a9de267635809acb13cdd98e6db
Static task
static1
Behavioral task
behavioral1
Sample
17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38.exe
Resource
win7-en-20211208
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
zcb79451
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
zcb79451
Extracted
njrat
0.7d
HacKed
FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mw==
FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==
429569822ab3f91283cbbbcf37c3e742
-
reg_key
429569822ab3f91283cbbbcf37c3e742
-
splitter
|'|'|
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
Password
Targets
-
-
Target
17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38
-
Size
11.1MB
-
MD5
a35d415ee0aff1e2ec654aae84a16acf
-
SHA1
cc4aa96dcc764ad63847bd741740a1e76cc1c91f
-
SHA256
17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38
-
SHA512
1c757e1b92d0b9f032716c1db16976ac63c75cc489769a3e16bc7bd24971d66d62360b8c51922d6c76138ea7e02b1a0596372a9de267635809acb13cdd98e6db
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-