General
-
Target
3e13b13589b9754fe00a4ae671ba640b230d97d5bbad5c7234c774956e19579e
-
Size
588KB
-
Sample
221124-eyg29agg57
-
MD5
a56b4fb6f3d0404a863195d3fd3d4093
-
SHA1
cc14739bcb183debc6eb83347301a220f328b0e1
-
SHA256
3e13b13589b9754fe00a4ae671ba640b230d97d5bbad5c7234c774956e19579e
-
SHA512
0fa15a5f565a479183d3d6bdb44623155d5a8c803a308f1054e22d5168104035d03a563e595a29f260a84f2b0ac2a3f580fa0bd5814a672b41603c779952a6c9
-
SSDEEP
12288:Hq859UOJHgj/657bEq2MZ8o+wUbS5lYxT5+Fd+Su+UnD9JNG+2xCvzOSXN19:vH5UMEOZzvrYod+n+UD9ryGzOSXN
Static task
static1
Behavioral task
behavioral1
Sample
3e13b13589b9754fe00a4ae671ba640b230d97d5bbad5c7234c774956e19579e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3e13b13589b9754fe00a4ae671ba640b230d97d5bbad5c7234c774956e19579e.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
njrat
0.7d
Loads
whiteserver.mooo.com:400
d87c572dcb567ef1c4002658cc4e14f4
-
reg_key
d87c572dcb567ef1c4002658cc4e14f4
-
splitter
|'|'|
Targets
-
-
Target
3e13b13589b9754fe00a4ae671ba640b230d97d5bbad5c7234c774956e19579e
-
Size
588KB
-
MD5
a56b4fb6f3d0404a863195d3fd3d4093
-
SHA1
cc14739bcb183debc6eb83347301a220f328b0e1
-
SHA256
3e13b13589b9754fe00a4ae671ba640b230d97d5bbad5c7234c774956e19579e
-
SHA512
0fa15a5f565a479183d3d6bdb44623155d5a8c803a308f1054e22d5168104035d03a563e595a29f260a84f2b0ac2a3f580fa0bd5814a672b41603c779952a6c9
-
SSDEEP
12288:Hq859UOJHgj/657bEq2MZ8o+wUbS5lYxT5+Fd+Su+UnD9JNG+2xCvzOSXN19:vH5UMEOZzvrYod+n+UD9ryGzOSXN
Score10/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-