General
-
Target
3BD4EE3B206242034B5F90DFCFC1AF11E1C2F46BB6E7E.exe
-
Size
873KB
-
Sample
220928-2ss9nahcc6
-
MD5
d93b0a6e1bc395773039809a097b6a65
-
SHA1
92c957d07b4b2e69f77e0e0f12ce80fae1c80e5b
-
SHA256
3bd4ee3b206242034b5f90dfcfc1af11e1c2f46bb6e7e8cee9994311477fc6cd
-
SHA512
54e7e3c20ae3e61883efa37bf4b6a459ecb51f3096400d05076645af8037797081731060268d0f7ed5ca78b5b0a80fa3415933b08a0f2cf09cbd03781b6220c5
-
SSDEEP
12288:2h1oFjTirpGk4vs/ZPl0SyFAY35oqb/sxwNp8bQHK:2h1uHiI/s/ZeS6Diy/sxwNp8j
Behavioral task
behavioral1
Sample
3BD4EE3B206242034B5F90DFCFC1AF11E1C2F46BB6E7E.exe
Resource
win7-20220812-en
Malware Config
Extracted
njrat
0.7d
HacKed
2.tcp.ngrok.io:14402
5cb3161ea3511d9f5e42e30a884c6964
-
reg_key
5cb3161ea3511d9f5e42e30a884c6964
-
splitter
|'|'|
Extracted
njrat
im523
q
8.tcp.ngrok.io:13778
6654f70ed551969a7183a6a878927468
-
reg_key
6654f70ed551969a7183a6a878927468
-
splitter
|'|'|
Targets
-
-
Target
3BD4EE3B206242034B5F90DFCFC1AF11E1C2F46BB6E7E.exe
-
Size
873KB
-
MD5
d93b0a6e1bc395773039809a097b6a65
-
SHA1
92c957d07b4b2e69f77e0e0f12ce80fae1c80e5b
-
SHA256
3bd4ee3b206242034b5f90dfcfc1af11e1c2f46bb6e7e8cee9994311477fc6cd
-
SHA512
54e7e3c20ae3e61883efa37bf4b6a459ecb51f3096400d05076645af8037797081731060268d0f7ed5ca78b5b0a80fa3415933b08a0f2cf09cbd03781b6220c5
-
SSDEEP
12288:2h1oFjTirpGk4vs/ZPl0SyFAY35oqb/sxwNp8bQHK:2h1uHiI/s/ZeS6Diy/sxwNp8j
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-