Overview

overview

10

Static

static

10

78769e4085...7e.zip

windows7_x64

1

78769e4085...7e.zip

windows10-2004_x64

malware-an...er.pdf

windows7_x64

1

malware-an...er.pdf

windows10-2004_x64

1

malware-an...is.pdf

windows7_x64

1

malware-an...is.pdf

windows10-2004_x64

1

malware-an...ypt.py

linux_amd64

malware-an...ypt.py

linux_armhf

malware-an...ypt.py

linux_mips

malware-an...ypt.py

linux_mipsel

malware-an...ons.py

windows7_x64

3

malware-an...ons.py

windows10-2004_x64

3

malware-an...is.pdf

windows7_x64

1

malware-an...is.pdf

windows10-2004_x64

malware-an...tt.ps1

windows7_x64

10

malware-an...tt.ps1

windows10-2004_x64

8

malware-an...tt.vbs

windows7_x64

malware-an...tt.vbs

windows10-2004_x64

7

malware-an...er.ps1

windows7_x64

1

malware-an...er.ps1

windows10-2004_x64

malware-an...od.ps1

windows7_x64

malware-an...od.ps1

windows10-2004_x64

10

malware-an...44.exe

windows7_x64

10

malware-an...44.exe

windows10-2004_x64

malware-an...55.dll

windows7_x64

1

malware-an...55.dll

windows10-2004_x64

malware-an...xes.py

linux_amd64

malware-an...xes.py

linux_armhf

malware-an...xes.py

linux_mips

malware-an...xes.py

linux_mipsel

malware-an...dra.py

windows7_x64

malware-an...dra.py

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e

  • Size

    4.2MB

  • MD5

    154370225f6d203912178dffa4fc473c

  • SHA1

    2525de74d4d439f33e65fdace52e498187e049ed

  • SHA256

    78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e

  • SHA512

    cc29d21d0b2c3a22dd8b16ecbcb8619526dc82c6e97ccc61261183ec1f8423a0784a192782cf1fb5cd24c1df2f64e2db5fa3b73935f7f5bbc60e23acdc4fad7e

  • SSDEEP

    98304:v6CqCCzcj+Lvy9BeEOUFypsZK2+0CqBp9bgX:K1zqkWBeEOtpsZ/VCqBp9c

Score
10/10
pdflinknjratmetasploit

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://pastebin.com/raw/Qkwjgmp3

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://gist.githubusercontent.com/raigabrielmaia/8ae7b2b263c365744052d344d8b57d7b/raw/58ba6d37349921d43d226b108205458440885d46/Nod.mp3
exe.dropper

https://gist.githubusercontent.com/raigabrielmaia/8ae7b2b263c365744052d344d8b57d7b/raw/58ba6d37349921d43d226b108205458440885d46/avast.mp3
exe.dropper

https://gist.githubusercontent.com/raigabrielmaia/8ae7b2b263c365744052d344d8b57d7b/raw/58ba6d37349921d43d226b108205458440885d46/avastt.mp3

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://certificates.updatecenter.icu:443/v11/5/windowsupdate/redir/v6-win86-wuredir.cab?id=14425600235201

Signatures

  • Metasploit family
    metasploit
  • Njrat family
    njrat
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • One or more HTTP URLs in PDF identified

    Detects presence of HTTP links in PDF files.

    pdflink

Files

  • 78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e
    .zip .ps1
  • malware-analysis-writeups-master/README.md
  • malware-analysis-writeups-master/agent-tesla-loader/agentTeslaLoader.pdf
    .pdf

    • https://twitter.com/kindredsec

    • https://discord.gg/CCZCJCu

  • malware-analysis-writeups-master/ava-maria-rat/AvaMariaAnalysis.pdf
    .pdf
  • malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerBeaconDecrypt.py
    .py .sh linux
  • malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerCatchBeacons.py
  • malware-analysis-writeups-master/bashar-bachir-chain/bashar-bachir-analysis.pdf
    .pdf

    • https://twitter.com/kindredsec

    • https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/helperScripts/extractNodExes.py

    • https://www.virustotal.com/gui/file/dda9f301fefb543235cd29166dd7bf306e2d52fa6126c887f12c1f4a2c8a3fb0/detection

    • https://github.com/yck1509/ConfuserEx

    • https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.createinstance?view=netframework-4.8

    • https://www.youtube.com/watch?v=OqhGU1s6kVk

    • https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/downloader.ps1

    • https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/nod.ps1

    • https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/avastt.ps1

    • Show all
  • malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.ps1
    .ps1
  • malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.vbs
    .vbs
  • malware-analysis-writeups-master/bashar-bachir-chain/files/downloader.ps1
    .ps1
  • malware-analysis-writeups-master/bashar-bachir-chain/files/nod.ps1
    .ps1
  • malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli444.exe
    .exe windows x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections

  • malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli555.dll
    .dll windows x86

    dae02f32a21e03ce65412f6e56942daa


    Headers

    Imports

    Sections

  • malware-analysis-writeups-master/bashar-bachir-chain/helperScripts/extractNodExes.py
    .py .sh linux
  • malware-analysis-writeups-master/razy-variant/README.md
  • malware-analysis-writeups-master/razy-variant/razyVariantDecryptStackStrings_ghidra.py
  • malware-analysis-writeups-master/swrort-dropper/files/dropper.exe
    .exe windows x86

    87bed5a7cba00c7e1f4015f1bdae2183


    Headers

    Imports

    Sections

  • malware-analysis-writeups-master/swrort-dropper/files/stage1.bat
    .bat .ps1
  • malware-analysis-writeups-master/swrort-dropper/files/stage2.ps1
    .ps1
  • malware-analysis-writeups-master/swrort-dropper/files/v6-win86-wuredir.cab
    .cab
  • malware-analysis-writeups-master/swrort-dropper/swrort-stager-analysis.pdf
    .pdf