General
-
Target
5ffc76cfa5ade6017fff6b56c343f718.exe
-
Size
93KB
-
Sample
231207-mgh7zshd34
-
MD5
5ffc76cfa5ade6017fff6b56c343f718
-
SHA1
ac5b3889af5e488c26102b1b886c00ae0b15aebc
-
SHA256
26b9f4e5aeae4aa95e44a9a9d51d028b30bd6c9f329bbe8b52511c65ba294fb3
-
SHA512
9be0f6dff2f25493e54a7b26ad405e5aef0ea3d4eee8674a02e4c2407ca4f8126debd6be26f3ae193e2b1fc459e667242d2380dd9f9522ddf2d01a378db4fba0
-
SSDEEP
768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
Behavioral task
behavioral1
Sample
5ffc76cfa5ade6017fff6b56c343f718.exe
Resource
win7-20231129-en
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
6.tcp.eu.ngrok.io:13150
eafe3130af183c86c36221806d0c196a
-
reg_key
eafe3130af183c86c36221806d0c196a
-
splitter
|'|'|
Targets
-
-
Target
5ffc76cfa5ade6017fff6b56c343f718.exe
-
Size
93KB
-
MD5
5ffc76cfa5ade6017fff6b56c343f718
-
SHA1
ac5b3889af5e488c26102b1b886c00ae0b15aebc
-
SHA256
26b9f4e5aeae4aa95e44a9a9d51d028b30bd6c9f329bbe8b52511c65ba294fb3
-
SHA512
9be0f6dff2f25493e54a7b26ad405e5aef0ea3d4eee8674a02e4c2407ca4f8126debd6be26f3ae193e2b1fc459e667242d2380dd9f9522ddf2d01a378db4fba0
-
SSDEEP
768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-