General
-
Target
0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f
-
Size
290KB
-
Sample
221003-srekfaceh4
-
MD5
6a890900f264d91b22368ece3b4c2ec0
-
SHA1
c7f9facce25fde3e168068beb8e2e0d002a1fc80
-
SHA256
0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f
-
SHA512
1addbf55230369de0e8fe5e572595b3b20248bcce4c824e1ab3a8deeb73dfa678034cfbee953cee79b439a7bde4b678df0c947b60a7fde9e6f6fcf89c16ba87e
-
SSDEEP
3072:nMY0O8BEMxRURH1S6Ll65S69q/N6LcaubmmeeleYugci1ze7AdkddcdrFWJw7rr/:MY03M1S6kL1OEG2xFjX9M
Static task
static1
Behavioral task
behavioral1
Sample
0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
njrat
0.6.4
victime
badprince.no-ip.biz:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Targets
-
-
Target
0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f
-
Size
290KB
-
MD5
6a890900f264d91b22368ece3b4c2ec0
-
SHA1
c7f9facce25fde3e168068beb8e2e0d002a1fc80
-
SHA256
0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f
-
SHA512
1addbf55230369de0e8fe5e572595b3b20248bcce4c824e1ab3a8deeb73dfa678034cfbee953cee79b439a7bde4b678df0c947b60a7fde9e6f6fcf89c16ba87e
-
SSDEEP
3072:nMY0O8BEMxRURH1S6Ll65S69q/N6LcaubmmeeleYugci1ze7AdkddcdrFWJw7rr/:MY03M1S6kL1OEG2xFjX9M
Score10/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-