General
-
Target
Payment Invoice.zip.7z
-
Size
818B
-
Sample
220809-w55kkafhh8
-
MD5
e62836c609599089390d877d5e14c124
-
SHA1
38dac58cddc1cb1cdd78c401bb0cfea22aa07d76
-
SHA256
1639941c1b2e7451245160fa41afe0c97a25b12c6b97b1280e9e340f0c79d29d
-
SHA512
2ecde7abf900c6a2f336e31c04189e88b63ed16f5239134b6b3bd7dfc0b1be8088300e5014e61b735aef13a7c9047187d0b28457b80a467eff664e08a8b1f8dd
Malware Config
Extracted
https://tradeguru.com.pk/enc2.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Targets
-
-
Target
DWRNHNKWSJEHWYPNYOGGOP.vbs
-
Size
1KB
-
MD5
43f89bd927a7e80c8240c61617dee7bf
-
SHA1
6a8ab5c11c1afd276cf5dbb7b125cff26080459f
-
SHA256
f835187e4e7703e00b2da9f5cca7b9a4ab87d26d27b09e5112d563f6f96dcc9a
-
SHA512
f637d2cdbd59a730b65c770d66c2767febe5f9e8662d133717922990fbf3934a4026b5929960c8dfbfdb228cf164b9390badbc92b19dde11f9ebe5a1018379e4
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Registers COM server for autorun
-
Suspicious use of SetThreadContext
-