General
-
Target
New folder.rar
-
Size
6.9MB
-
Sample
230304-14sltsed4z
-
MD5
27f8ef3eb1c6fdbe295174f4fa4ea19c
-
SHA1
4e5768610fd41604c906729f866d4b97e7dbb276
-
SHA256
a86957ee594e57dfdf8ffdee89b6ad7465212c8724f5cf524983bee81ea74506
-
SHA512
94168abe57cf20fb20c17ca1d24aa1395c06d3eb1582f490d967b84b9b025d0613474b0878f375f7d75aa76ba876bee3fa285916090d108ad8324da44bbbab4b
-
SSDEEP
196608:fYlj8zcAEYvZ4qhytYPoURanwftLalial8:fwAdB4q0WwKanwhaliR
Malware Config
Extracted
njrat
v4.0
HacKed
according-psp.at.ply.gg:38979
Windows
-
reg_key
Windows
-
splitter
|-F-|
Extracted
njrat
0.7NC
NYAN CAT
mayo21.duckdns.org:2815
5be64674f6c
-
reg_key
5be64674f6c
-
splitter
@!#&^%$
Extracted
njrat
0.7d
hackpack
cryptoban.ddns.net:7080
614f5b9de3a2d1c0768b788aac77a023
-
reg_key
614f5b9de3a2d1c0768b788aac77a023
-
splitter
|'|'|
Extracted
njrat
0.7d
HacKed
FRANSESCOTkyLjE2OC4wLjEwNwStrikStrik:NTU1Mg==
0a12c200b51a3f61d5cce2fd62c96311
-
reg_key
0a12c200b51a3f61d5cce2fd62c96311
-
splitter
|'|'|
Extracted
bitrat
1.38
185.81.157.28:2030
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Extracted
remcos
RemoteHost
127.0.0.1:56932
185.65.134.165:56932
10.16.0.30:56932
45.128.234.54:56932
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-JRDLY5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
0.5.7A
Default
163.172.225.185:6606
163.172.225.185:7707
163.172.225.185:8808
ttseuezglyey
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
New folder.rar
-
Size
6.9MB
-
MD5
27f8ef3eb1c6fdbe295174f4fa4ea19c
-
SHA1
4e5768610fd41604c906729f866d4b97e7dbb276
-
SHA256
a86957ee594e57dfdf8ffdee89b6ad7465212c8724f5cf524983bee81ea74506
-
SHA512
94168abe57cf20fb20c17ca1d24aa1395c06d3eb1582f490d967b84b9b025d0613474b0878f375f7d75aa76ba876bee3fa285916090d108ad8324da44bbbab4b
-
SSDEEP
196608:fYlj8zcAEYvZ4qhytYPoURanwftLalial8:fwAdB4q0WwKanwhaliR
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-