General
-
Target
0x000b000000003c9f-55.dat
-
Size
37KB
-
Sample
220704-pgt1lahben
-
MD5
c416df61c2d1b3d75fa5983e282542ce
-
SHA1
e1a98256b16e7a1666871133091743ee11e4a171
-
SHA256
4a6cc991136caa150891fc6dea2eed91cc9c6b40030bee9120e1b8b504ab570e
-
SHA512
ec0b63312f058e46b1106731a87aca84ffe196b4c88c433df7399611fc51a07518cc77c21764d289eb81a13b095c1505e1685591335103818916f33beba82c77
Behavioral task
behavioral1
Sample
0x000b000000003c9f-55.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0x000b000000003c9f-55.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
njrat
im523
gay
2.tcp.eu.ngrok.io:11696
b40c8069f7901ea328823f37ffd1b3b2
-
reg_key
b40c8069f7901ea328823f37ffd1b3b2
-
splitter
|'|'|
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Targets
-
-
Target
0x000b000000003c9f-55.dat
-
Size
37KB
-
MD5
c416df61c2d1b3d75fa5983e282542ce
-
SHA1
e1a98256b16e7a1666871133091743ee11e4a171
-
SHA256
4a6cc991136caa150891fc6dea2eed91cc9c6b40030bee9120e1b8b504ab570e
-
SHA512
ec0b63312f058e46b1106731a87aca84ffe196b4c88c433df7399611fc51a07518cc77c21764d289eb81a13b095c1505e1685591335103818916f33beba82c77
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-