General
-
Target
sample.exe
-
Size
4.6MB
-
Sample
230324-zeywwahc26
-
MD5
7e8ba9fb61fa408145919b871075e1c9
-
SHA1
d166c427649f37085719c0591fb0b8da077dc0db
-
SHA256
3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
-
SHA512
3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
-
SSDEEP
49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
njrat
v2.0
HacKed
vesperiskindagoated.hopto.org:5552
WSecurityKey
-
reg_key
WSecurityKey
-
splitter
|-F-|
Targets
-
-
Target
sample.exe
-
Size
4.6MB
-
MD5
7e8ba9fb61fa408145919b871075e1c9
-
SHA1
d166c427649f37085719c0591fb0b8da077dc0db
-
SHA256
3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
-
SHA512
3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
-
SSDEEP
49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-