General

  • Target

    8F725C902BF561F62CC1A3331460AA5FA6AB08E9E54FD.exe

  • Size

    13.2MB

  • Sample

    220826-hmg5nahgc7

  • MD5

    44ced2e7e68074eeab69c861726736b3

  • SHA1

    4f1510ba12e1d90b11169326a3d8ee847383c329

  • SHA256

    8f725c902bf561f62cc1a3331460aa5fa6ab08e9e54fdebf6ebcd476a2ab8982

  • SHA512

    c5c8331a7280949f4b8e109e5cb2de30e71da413e741949adf501db4ddf75fe9a977158a6a57823d3c714065583c86e0506e514cdee833c202393ff6024e148d

  • SSDEEP

    393216:hG1uv/z3OcitnplQ8p2DG82n/YcV2JZAeV3I9HI:4Ivn0plQ8pbUZA83C

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://thearakanpost.com/forms/scv.flv

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://thearakanpost.com/img/min.exe

Targets

    • Target

      8F725C902BF561F62CC1A3331460AA5FA6AB08E9E54FD.exe

    • Size

      13.2MB

    • MD5

      44ced2e7e68074eeab69c861726736b3

    • SHA1

      4f1510ba12e1d90b11169326a3d8ee847383c329

    • SHA256

      8f725c902bf561f62cc1a3331460aa5fa6ab08e9e54fdebf6ebcd476a2ab8982

    • SHA512

      c5c8331a7280949f4b8e109e5cb2de30e71da413e741949adf501db4ddf75fe9a977158a6a57823d3c714065583c86e0506e514cdee833c202393ff6024e148d

    • SSDEEP

      393216:hG1uv/z3OcitnplQ8p2DG82n/YcV2JZAeV3I9HI:4Ivn0plQ8pbUZA83C

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks