General
-
Target
hello_123.rar
-
Size
16KB
-
Sample
220616-2qgg3shebj
-
MD5
db3210b3ed9c67de2b54d130f04eb92e
-
SHA1
d0ac4da641472fc99f0393f9bfc89fef79d438f8
-
SHA256
574cd5c5cc1c280c53dabc2501198c7257f344c4617f81f0bb632c52b770b1f8
-
SHA512
1e8f1c1a1462ece4991a5bdb1d46f39d4407708196a8e639a6dfa73552c8f0d8701c150e893e9e083a01c9ec46dcf30df5e75c285c4b4a3944d3a375b1371987
Behavioral task
behavioral1
Sample
hello.exe
Resource
win7-20220414-en
Malware Config
Extracted
njrat
im523
gay
5.tcp.eu.ngrok.io:12059
17a12256c22089ecda68e950006be021
-
reg_key
17a12256c22089ecda68e950006be021
-
splitter
|'|'|
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Targets
-
-
Target
hello.exe
-
Size
37KB
-
MD5
f6578c4f484063121bb63109b543fb95
-
SHA1
baae4772f958a85f2420a7c112f3b0ee02f962ce
-
SHA256
c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
-
SHA512
882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-