General
-
Target
4f333b5a74e464d8fd46fe49bedc760e.bin
-
Size
87KB
-
Sample
230607-b8yk7sgd66
-
MD5
9595b74b7f5435e1e1dee849d14ab860
-
SHA1
86a76ae75a0835197ad2efb44504a93058d0e3c4
-
SHA256
bec45de531ea05bf558a58b477fa85b91f347cb203eb753579c3cebcedccbf31
-
SHA512
f4d7c96bc49e86362bdb589b57b46613ac1b4c57897bab9422d6d6676ef9f3c56100e2660a853d5a28defabd623aa629c3bb5493d46620c5d4d59748dbe4d646
-
SSDEEP
1536:QNAkwr0r7USoKPBlNLWc7DEamt2nhrOo8lJx5DBh5LIBb3tPQcYIaj5kYXlLvdBJ:QNAJr0nUJe1THETtGh2VlBjYb3tPLa19
Static task
static1
Behavioral task
behavioral1
Sample
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
njrat
Platinum
HacKed
127.0.0.1:5505
Runtime Broker.exe
-
reg_key
Runtime Broker.exe
-
splitter
|Ghost|
Targets
-
-
Target
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
-
Size
180KB
-
MD5
4f333b5a74e464d8fd46fe49bedc760e
-
SHA1
110588bfa2559e700564af03db5cf851be5ac3d3
-
SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d
-
SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf
-
SSDEEP
3072:AK3fycY2pTpIb42etB/RpH5pXZOaXqmmgDXnkUrsK0GEx4FvPA+LjpgKab8iPt9G:9r9GE7PH3XZ84kUuVxG7Hpg3f9dO+
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-