General
-
Target
a.vbs
-
Size
226KB
-
Sample
221205-v7njdsed2w
-
MD5
9792c84f24e1492cc4d179523fdfcb9d
-
SHA1
f53e9afdd5ba3302186b6be1ac446c9f081c362f
-
SHA256
03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47
-
SHA512
83c42a63b51dfa007012ef6f0b8e2c5e8df31610d2af391f62e7921ce5bc5bdc7eff31f255d8ab96a58563ecb20f0051f61e9482b97ce97ee60e0cfbd0d1518e
-
SSDEEP
3072:eXFJliLfuE8ozlADw8auustFmbicHkwOt4MYI2x75nehsqgB3F23st+Zn3F/MvVF:sliLfudcHV
Static task
static1
Behavioral task
behavioral1
Sample
a.vbs
Resource
win7-20221111-es
Malware Config
Extracted
http://4.204.233.44/Dll/Dll.ppam
Extracted
njrat
im523
1 DIC
prueba30novok.duckdns.org:8002
5a6bb4a00c1be0a58dddea6ebb918e6f
-
reg_key
5a6bb4a00c1be0a58dddea6ebb918e6f
-
splitter
|'|'|
Targets
-
-
Target
a.vbs
-
Size
226KB
-
MD5
9792c84f24e1492cc4d179523fdfcb9d
-
SHA1
f53e9afdd5ba3302186b6be1ac446c9f081c362f
-
SHA256
03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47
-
SHA512
83c42a63b51dfa007012ef6f0b8e2c5e8df31610d2af391f62e7921ce5bc5bdc7eff31f255d8ab96a58563ecb20f0051f61e9482b97ce97ee60e0cfbd0d1518e
-
SSDEEP
3072:eXFJliLfuE8ozlADw8auustFmbicHkwOt4MYI2x75nehsqgB3F23st+Zn3F/MvVF:sliLfudcHV
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-