General
-
Target
LGServer.bat
-
Size
252KB
-
Sample
240424-zlplsahc9z
-
MD5
8aa9192ef2e6f6cfa7fbf770d7878b8c
-
SHA1
f2db70bebe8cc92348d95e2c6667e3e2bda3cf7b
-
SHA256
6fd1b7bf74c09c27153634670caa537acb4aa6d834aedae7dffc5d77f161b0a3
-
SHA512
8408feda79bfcc0a57f9b4e197cd2bffef91178a2a191817ac82e22b5fe8d85b28248c2ca3ed653659619004c59d0bc1e379c8a4e2cbb40e36b05f2ae8551742
-
SSDEEP
6144:DXtO31+JiClvhGIp7ZOWLx5EV4o77ZAr9kGkn:TBvMeV3LxODlAJkGkn
Static task
static1
Behavioral task
behavioral1
Sample
LGServer.bat
Resource
win7-20240221-en
Malware Config
Extracted
njrat
im523
Chopx
127.0.0.1:5552
d6bfbefac0528ec6983bd8e0f00508f2
-
reg_key
d6bfbefac0528ec6983bd8e0f00508f2
-
splitter
|'|'|
Extracted
gozi
Targets
-
-
Target
LGServer.bat
-
Size
252KB
-
MD5
8aa9192ef2e6f6cfa7fbf770d7878b8c
-
SHA1
f2db70bebe8cc92348d95e2c6667e3e2bda3cf7b
-
SHA256
6fd1b7bf74c09c27153634670caa537acb4aa6d834aedae7dffc5d77f161b0a3
-
SHA512
8408feda79bfcc0a57f9b4e197cd2bffef91178a2a191817ac82e22b5fe8d85b28248c2ca3ed653659619004c59d0bc1e379c8a4e2cbb40e36b05f2ae8551742
-
SSDEEP
6144:DXtO31+JiClvhGIp7ZOWLx5EV4o77ZAr9kGkn:TBvMeV3LxODlAJkGkn
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-