General
-
Target
1b1000a9049ef7a4b12ff02ebff4ba367f28f6e34bd36d121d721fc4a531c7fb
-
Size
72KB
-
Sample
221128-m716gsdf6v
-
MD5
f4c44aa81ec8b6a76d6c5eac2e1c863c
-
SHA1
6fd206285f36a8922ebd9392966b2dd2e16b73a4
-
SHA256
1b1000a9049ef7a4b12ff02ebff4ba367f28f6e34bd36d121d721fc4a531c7fb
-
SHA512
e4f46adc69388968e4b1ebde778164c9bb2b498a20aa71dc31804b888f7dc97ba213f8dc9dbe11b6ffe87142e1bb59dae0fc67fa864e168803e6a541d5459db9
-
SSDEEP
1536:Mbkz/uz7fhC73ybzlr6kI+KEgW3Xt97m62hglenfnVF3kVWO0MhJEe:Q0uXAqzlUUgWHrC9qSiYe
Malware Config
Extracted
njrat
0.6.4
nEwHacKed
slowburn.linkpc.net:6760
a5e14c6feeac7389fad3a06801dddd4f
-
reg_key
a5e14c6feeac7389fad3a06801dddd4f
-
splitter
|'|'|
Extracted
pony
http://slow1234.serveftp.com/duos/gate.php
Targets
-
-
Target
pdf.exe
-
Size
102KB
-
MD5
b04423987d7a01ca1bf5b1f8f2b77b0c
-
SHA1
6468823f6da30059a2750cf2b4599fdb8e450f05
-
SHA256
8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
-
SHA512
c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
-
SSDEEP
1536:TcTbDj6OLC73ybzlr6kI+KEBXiI40n6aDnOae98fAaMGSSpvvKet2Hbq86Dm:TcX6OWqzlUUBSpE6aDOOvvNtP86Dm
Score10/10-
Modifies WinLogon for persistence
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-