General
-
Target
7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7
-
Size
24.3MB
-
Sample
220509-az39nabhb3
-
MD5
006333f64f5d50611383c83a22a1a8dc
-
SHA1
4949a5b34fdee0de7cc1e387403fe007faf412c0
-
SHA256
7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7
-
SHA512
92acf4b50a8d275ef4f23f425201db5b294db82f20676380ef1e454c642bfd1761d4e91ab6de09193ea874d86f04fd88f4e4004062d1206a2e9d6d6cbca0763b
Static task
static1
Behavioral task
behavioral1
Sample
7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
njrat
0.7d
redlanhopto
redlan.hopto.org:5553
d25d360449d7bab3069e1b77b3a914a3
-
reg_key
d25d360449d7bab3069e1b77b3a914a3
-
splitter
|'|'|
Targets
-
-
Target
7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7
-
Size
24.3MB
-
MD5
006333f64f5d50611383c83a22a1a8dc
-
SHA1
4949a5b34fdee0de7cc1e387403fe007faf412c0
-
SHA256
7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7
-
SHA512
92acf4b50a8d275ef4f23f425201db5b294db82f20676380ef1e454c642bfd1761d4e91ab6de09193ea874d86f04fd88f4e4004062d1206a2e9d6d6cbca0763b
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
XMRig Miner Payload
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-