General
-
Target
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
-
Size
6.1MB
-
Sample
220517-qbgzhscbf5
-
MD5
5f9e61796a21e65f9a03f92ee6a8f6d8
-
SHA1
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
-
SHA256
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
-
SHA512
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Static task
static1
Behavioral task
behavioral1
Sample
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
Resource
win7-20220414-en
Malware Config
Extracted
http://supportnimbuzz.hexat.com/3/Att.jpg
Extracted
https://cdn.discordapp.com/attachments/934436223181787207/937137622730559579/Att.jpg
Extracted
https://cdn.discordapp.com/attachments/935877066816114718/938236541149515816/Att.jpg
Extracted
njrat
0.7NC
NYAN CAT
ameen.myftp.biz:7788
76420c32f4f
-
reg_key
76420c32f4f
-
splitter
@!#&^%$
Extracted
njrat
0.7.3
Lime
worm.access.ly:7778
Adobe.exe
-
reg_key
Adobe.exe
-
splitter
12345
Extracted
asyncrat
0.5.7B
Default
newworld.mypsx.net:8877
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
rdpclip.exe
-
install_folder
%AppData%
Targets
-
-
Target
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
-
Size
6.1MB
-
MD5
5f9e61796a21e65f9a03f92ee6a8f6d8
-
SHA1
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
-
SHA256
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
-
SHA512
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-