General
-
Target
Valkyria.exe
-
Size
8.2MB
-
Sample
240522-jpeb8agg24
-
MD5
1626922cadeeedea404cadfe628d7e16
-
SHA1
9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
-
SHA256
202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
-
SHA512
80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
-
SSDEEP
196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN
Malware Config
Extracted
njrat
0.7d
SvHost
hakim32.ddns.net:2000
rates-alfred.gl.at.ply.gg:39912
07fe81bb92603a7ba50e57049dc09693
-
reg_key
07fe81bb92603a7ba50e57049dc09693
-
splitter
|'|'|
Extracted
blackguard
https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928
Targets
-
-
Target
Valkyria.exe
-
Size
8.2MB
-
MD5
1626922cadeeedea404cadfe628d7e16
-
SHA1
9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
-
SHA256
202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
-
SHA512
80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
-
SSDEEP
196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-