General
-
Target
Stubs.zip
-
Size
239KB
-
Sample
220824-k3zezsccf8
-
MD5
0fd61bf6d3acd274369943a43fb6f2ab
-
SHA1
8076939385a425fdbcafd4aaf97410617ac3f96c
-
SHA256
76f8fec1a95db07a76d543fbdb4c9a0094b3e60a47f285372830c8924bc103d7
-
SHA512
0d899045b2df7cd2915a0fb28a0792bb2ce97565496a0b1492c7f2d0bc2f251ad7c136145a3d30fa5e316cba04053ab49f83b34a2d2131406dfdf947bb3da5fc
-
SSDEEP
6144:Ab3L5MsSI/44sPiL7yFH1dNRnmEzrzHvMsfugMz9V9NM8g:iN//AnP4yHHnmEXrMmLMz9V9NM8g
Behavioral task
behavioral1
Sample
TUView.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TUView.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
TView.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
TView.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Windows.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
Windows.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
connect1212.ddns.net:54984
88cb7334-a7ec-4d51-a0d9-0f7f768ea541
-
activate_away_mode
false
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-22T14:20:28.391884536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
88cb7334-a7ec-4d51-a0d9-0f7f768ea541
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
connect1212.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
im523
HacKed
connect1212.ddns.net:5552
32dc075b47a82be9c432045c10a29dec
-
reg_key
32dc075b47a82be9c432045c10a29dec
-
splitter
|'|'|
Targets
-
-
Target
TUView.exe
-
Size
150KB
-
MD5
2c5aef89291a616850b5d6a9d532b8c0
-
SHA1
48fc949f0e6070407d422107f93af93aa632b356
-
SHA256
4d3ddbbc0ae3395c1d5d4b30cc511129ac4944b0338b077176d9d11dd5485063
-
SHA512
0653bb4af05678957afc298057888a5c48641e9bff6bd3ed356abefe6b2db3ed280deb2704c3d6cb49a9c56e20b79ddfedf682bc32083ba9580a8dfbbe887db2
-
SSDEEP
3072:KV5vmK0PS3TFgUM/ZT0MWcYvWrPVY5c2Ij2LNdakqHH3zq0+Pi585L+0uB+m7P:+GHHi650+5
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
TView.exe
-
Size
209KB
-
MD5
c9f31f31e2db35acd96a1ba8383b127a
-
SHA1
80d1545549cea3af6e968eae26c6de9d73c8b57d
-
SHA256
ab640b81983002bf968ca227b0267a88b89e627ccb3127d46036b25907bd2edb
-
SHA512
e32da900fc124cb9ccbdf0ec1df6cbcdd5f9c27c743056754ebfe54d4f3c408114b84d54aa9cf6383bffd88de9f1331f985fb20cb7a723cb003c30a05ff561e2
-
SSDEEP
3072:kzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIzcFIzby5IzrLjrFV6so5KegrH:kLV6Bta6dtJmakIM5gzbzHv6s5egfgNa
-
Adds Run key to start application
-
-
-
Target
Windows.exe
-
Size
37KB
-
MD5
e32b6317db18f908fed313c010ea9b76
-
SHA1
1b1ea1780aa6618c52f19ae3bc805078bd0accda
-
SHA256
2834cad6fb2e22f7f73cbd74efe6cb35760eaf119caa4feab9b5a8c40fdccf0b
-
SHA512
6798cd445c4578657f120bbdc7df44d26708b4c989cb0649b57632b71b8d5ae7dfbf3eca41c7ea78dd92ce33a7c34de5456084bd3249f15afd6e93caa204f40e
-
SSDEEP
384:x4lZkitgZf5W9cTYXyc/SKlMA+zfz1nssIBNrAF+rMRTyN/0L+EcoinblneHQM3b:alyjjTYic/SKqZssIHrM+rMRa8NuOXt
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-