General
-
Target
baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4
-
Size
1.4MB
-
Sample
240205-shk1vscgbq
-
MD5
a4f8a32f1927d1bf93fbc814883063a3
-
SHA1
041cce3c1e69f77923154b9f9be9c09a38ae2515
-
SHA256
baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4
-
SHA512
a766149f0a9e570a6a577855455964bba47a83f2b3cbf1689727dceb8b9e34fc8658ed656e2b8b2446042908e9af24fe0e236f9cecd4b03d339293d633cef6b9
-
SSDEEP
24576:qxLsMs8WdUS8vyooy7U2H55KnzRfnVQF8IqKLu/9ASfb3vXCFK9pYEm1Ap3U:usldsvyoXfHPKl/9Ij+9bqFK9pDm16E
Static task
static1
Behavioral task
behavioral1
Sample
baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4.exe
Resource
win7-20231215-en
Malware Config
Extracted
njrat
0.7d
hack
hakim32.ddns.net:2000
0.tcp.jp.ngrok.io:17616
0d8147ccf1c17062afe1aa53b667a274
-
reg_key
0d8147ccf1c17062afe1aa53b667a274
-
splitter
|'|'|
Targets
-
-
Target
baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4
-
Size
1.4MB
-
MD5
a4f8a32f1927d1bf93fbc814883063a3
-
SHA1
041cce3c1e69f77923154b9f9be9c09a38ae2515
-
SHA256
baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4
-
SHA512
a766149f0a9e570a6a577855455964bba47a83f2b3cbf1689727dceb8b9e34fc8658ed656e2b8b2446042908e9af24fe0e236f9cecd4b03d339293d633cef6b9
-
SSDEEP
24576:qxLsMs8WdUS8vyooy7U2H55KnzRfnVQF8IqKLu/9ASfb3vXCFK9pYEm1Ap3U:usldsvyoXfHPKl/9Ij+9bqFK9pDm16E
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-