General
-
Target
joao.exe
-
Size
89KB
-
Sample
230615-hj14cseh97
-
MD5
a88c703f3ec08baf49df569833dde633
-
SHA1
f5b47b14f247d4eb1fe0131255a43735b53bb366
-
SHA256
15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05
-
SHA512
391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307
-
SSDEEP
384:aRcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZ2kgAD1vJ:ay30py6vhxaRpcnunF8u3EMyyCg
Behavioral task
behavioral1
Sample
joao.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
joao.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
njrat
0.7d
joao
0.tcp.sa.ngrok.io:11168
e6a27426758a6eb3f469a160f094bed0
-
reg_key
e6a27426758a6eb3f469a160f094bed0
-
splitter
|'|'|
Targets
-
-
Target
joao.exe
-
Size
89KB
-
MD5
a88c703f3ec08baf49df569833dde633
-
SHA1
f5b47b14f247d4eb1fe0131255a43735b53bb366
-
SHA256
15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05
-
SHA512
391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307
-
SSDEEP
384:aRcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZ2kgAD1vJ:ay30py6vhxaRpcnunF8u3EMyyCg
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-