General
-
Target
vmkiller 1.5.3 - Copy - Copy (3).rar
-
Size
32.7MB
-
Sample
231214-cj6e7aaghr
-
MD5
1a533f783daccdf581712d6d06b33793
-
SHA1
c917f774fb4308ea7a091d54cbf2dbcf7732d1ad
-
SHA256
4b111c6f34ec6647a0fa2993467c0d120e937e441ed52f92ac8bc804e45c29a9
-
SHA512
c9c89bb4d366134a7ee287cba73fa968e11d32649bf55a09fec69da89c3bd14ba9632d24f28311441ba8b244b92a7eb1944844d632a945e1010c731df2599606
-
SSDEEP
786432:9AXytOLbapA2sanzoVMSwMnqXbNNV1LUJvl73AR+skf:9ZtOXL2sanzoO7KqLN5IwR+skf
Malware Config
Extracted
njrat
0.7d
HacKed
24.6.141.96:1337
91824e475f9cf5bac9f74d347da2f4d3
-
reg_key
91824e475f9cf5bac9f74d347da2f4d3
-
splitter
|'|'|
Extracted
nanocore
1.2.2.0
24.6.141.96:1337
2b13cf2e-6b51-40a2-b312-fe2fed9718b6
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-05-07T06:44:15.790484036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1337
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2b13cf2e-6b51-40a2-b312-fe2fed9718b6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
24.6.141.96
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
vmkiller 1.5.3 - Copy - Copy (3).exe
-
Size
35.9MB
-
MD5
5ff5de7a40daf8f61ed1a1bdfa934ba0
-
SHA1
b8e9fde4a795f867527a887722d629c88a96f642
-
SHA256
e5ac35ebe1f85ec4c6121135406b7addb5af78bf2df62d2dc6db74365815cc82
-
SHA512
0c9e78da51f9fbf53db0e1600f42a1a6765581f442ab24e648892db0885b2e0121564afbb1bff7be5c5420f66993d3bf63eea45636dd6dd0ff69dee8a42c2810
-
SSDEEP
786432:Hnro2B5bYhCuVLzJ+pkfkAePJwJkMQU9eNOca:Lo2BrIQM0P3MQUsPa
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Ratty
Ratty is an open source Java Remote Access Tool.
-
Ratty Rat payload
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Checks whether UAC is enabled
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1