General
-
Target
a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
-
Size
592KB
-
Sample
220524-d7kztsedf4
-
MD5
cb6e4575662be7979855943c528f8dcb
-
SHA1
3117b905dead7a714ca0d8edd2a643e1a3dffda9
-
SHA256
a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
-
SHA512
fe7b591a06f68598bd1e7f18d66c7de4400d261acb8ee141db675116b08bb197de7520764ddeb01e9bc60618e5daeefe31c60cfdb124bb060a61a5d3f3909b00
Static task
static1
Behavioral task
behavioral1
Sample
a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
http://chopa.mywire.org/f.jpg
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
33
-
download_payload
false
-
install
true
-
install_name
Monitor.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
njrat
0.7d
HacKed
81.61.77.92:5553
c34d2dcb6f6ef032823fc192432ddb99
-
reg_key
c34d2dcb6f6ef032823fc192432ddb99
-
splitter
|'|'|
Targets
-
-
Target
a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
-
Size
592KB
-
MD5
cb6e4575662be7979855943c528f8dcb
-
SHA1
3117b905dead7a714ca0d8edd2a643e1a3dffda9
-
SHA256
a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
-
SHA512
fe7b591a06f68598bd1e7f18d66c7de4400d261acb8ee141db675116b08bb197de7520764ddeb01e9bc60618e5daeefe31c60cfdb124bb060a61a5d3f3909b00
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-