General
-
Target
Server.bin.zip
-
Size
43KB
-
Sample
221107-wbxb4aadb9
-
MD5
562ba3c4367f7e8e1b55f70cc79b4548
-
SHA1
1af17121cc67de62cbb1a677ee8cf9a41034e220
-
SHA256
6c5f008b6fb6dc6b52356be1cff64f1aed63023273b5d2055866f066cc14f776
-
SHA512
1c1255f74dd2def0fbf3c35657c4c617bee48640fa77d3c28595f012a9db4a062b5611079186f286f2dd9f4f9ed955fdadbc338e96e969487e99f02defe9ebb1
-
SSDEEP
768:iATUlMZLcjaTQ4g7JjsfmTgHPWlDg6XAKmmACxGC8G886dMeZM1E4gUASmRd:iRMZ4aTi7JYME6VQUxG53NUAS2d
Malware Config
Extracted
njrat
0.7d
Elex
NC50Y3AuZXUubmdyb2suaW8Strik:MTgzNzk=
51fdfa7645928e2ac1d9effc2044fef0
-
reg_key
51fdfa7645928e2ac1d9effc2044fef0
-
splitter
|'|'|
Extracted
vidar
55.6
1707
https://t.me/seclab_new
https://mas.to/@ofadex
-
profile_id
1707
Targets
-
-
Target
Server.bin.zip
-
Size
43KB
-
MD5
562ba3c4367f7e8e1b55f70cc79b4548
-
SHA1
1af17121cc67de62cbb1a677ee8cf9a41034e220
-
SHA256
6c5f008b6fb6dc6b52356be1cff64f1aed63023273b5d2055866f066cc14f776
-
SHA512
1c1255f74dd2def0fbf3c35657c4c617bee48640fa77d3c28595f012a9db4a062b5611079186f286f2dd9f4f9ed955fdadbc338e96e969487e99f02defe9ebb1
-
SSDEEP
768:iATUlMZLcjaTQ4g7JjsfmTgHPWlDg6XAKmmACxGC8G886dMeZM1E4gUASmRd:iRMZ4aTi7JYME6VQUxG53NUAS2d
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-