General
-
Target
3c333cca8a3575459888665c629c5af42fc1849e8011306441a0ae773d996fb2
-
Size
613KB
-
Sample
220703-j6ts8sbgan
-
MD5
3d354d274bea923b12e3950de7f51eea
-
SHA1
3ca4aec7982bfbf10804685172974148dbca9d8b
-
SHA256
3c333cca8a3575459888665c629c5af42fc1849e8011306441a0ae773d996fb2
-
SHA512
083826b7348648de76f9112f347057ab2b99a466eb3b444d8a23074dc54882f9ef279513d33443afad51e9ccd51bc6d7cdcba2e9ec9ddb8beb68c6b5310e2cb9
Static task
static1
Behavioral task
behavioral1
Sample
3c333cca8a3575459888665c629c5af42fc1849e8011306441a0ae773d996fb2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c333cca8a3575459888665c629c5af42fc1849e8011306441a0ae773d996fb2.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
pony
http://al-hadin.com/pony/gate.php
http://al-hadin.com/cj/gate.php
-
payload_url
http://michmetals.info/bin/Myshit.exe
Extracted
njrat
0.7.3
Exploited++
salesxpert.duckdns.org:2889
windows.exe
-
reg_key
windows.exe
-
splitter
mnbvcxz12
Targets
-
-
Target
3c333cca8a3575459888665c629c5af42fc1849e8011306441a0ae773d996fb2
-
Size
613KB
-
MD5
3d354d274bea923b12e3950de7f51eea
-
SHA1
3ca4aec7982bfbf10804685172974148dbca9d8b
-
SHA256
3c333cca8a3575459888665c629c5af42fc1849e8011306441a0ae773d996fb2
-
SHA512
083826b7348648de76f9112f347057ab2b99a466eb3b444d8a23074dc54882f9ef279513d33443afad51e9ccd51bc6d7cdcba2e9ec9ddb8beb68c6b5310e2cb9
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-