General
-
Target
32e6b362127592ee9e49750e252cb6b3df75c499cefb2045ae05b7f2e76db2e2
-
Size
16KB
-
Sample
240419-txzm8sha86
-
MD5
4bdccbe4a2885528550e069a0920d91a
-
SHA1
998c72d4573528a261dac8cb747c378c630951e7
-
SHA256
32e6b362127592ee9e49750e252cb6b3df75c499cefb2045ae05b7f2e76db2e2
-
SHA512
448226f1e21f3d28ef09679f257377bbf37eeb330c39753a45945df866efcb44417684f4af4f559598cb8b18fe38d0f5a2f2d772f03078b57ae92160b77c13d8
-
SSDEEP
384:RE4xIYacHy5VhucazvxtntrlSfq670tmzDa8wj6n:exwH+V0caztKh1kjy
Behavioral task
behavioral1
Sample
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
njrat
im523
HacKed
2.tcp.eu.ngrok.io:19483
68d7771434a71722449c404baa3e5b31
-
reg_key
68d7771434a71722449c404baa3e5b31
-
splitter
|'|'|
Targets
-
-
Target
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe
-
Size
37KB
-
MD5
b7dd9dd7470af783d5d955b455d58cac
-
SHA1
bbd0c1d74c948e95f5f007102fbabcf3867a2625
-
SHA256
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f
-
SHA512
af2cec43ea98a7e2c139c1433c4dbcf35ddebc3f70aa8520f64c7096a6f6844f8021cbd22fa4bf46ae4961be1972ca45407b15c1596770fad5cb41c5860fb512
-
SSDEEP
384:zLe2KMizd9jnBhFbJ8ycPVnvvnwaUBTrAF+rMRTyN/0L+EcoinblneHQM3epzXQD:W2g9lLJfcPVn3VU9rM+rMRa8Nu2Bt
Score10/10-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1