General
-
Target
Servers.exe
-
Size
93KB
-
Sample
240523-m7le2adh8v
-
MD5
11c3d736636d5acad291182340e6e647
-
SHA1
e64cd1bfe00a133b377797b4fee57895ed277633
-
SHA256
17f615a23b022f18f3d61c71e03ab634f21da34ae74b0db76763c6caa49cf7d1
-
SHA512
eebf3190b0a0529376e4dbe1b54f40880f7a8b7d93dfebc8c3a09184ccc9a867b576aafce511701a36d95c1d0b66f1b5179a839056e401189270e46370d285e6
-
SSDEEP
768:lY3D69hWXxyFcxovUKUJuROprXtwNheYhYbmXxrjEtCdnl2pi1Rz4Rk30sGdpPgM:I6TWhIUKcuOJ2PhBjEwzGi1dDMDPgS
Malware Config
Extracted
njrat
0.7d
HacKedw
hakim32.ddns.net:2000
5.tcp.eu.ngrok.io:15949
e9825053491379a6131c11cac9dacb5a
-
reg_key
e9825053491379a6131c11cac9dacb5a
-
splitter
|'|'|
Targets
-
-
Target
Servers.exe
-
Size
93KB
-
MD5
11c3d736636d5acad291182340e6e647
-
SHA1
e64cd1bfe00a133b377797b4fee57895ed277633
-
SHA256
17f615a23b022f18f3d61c71e03ab634f21da34ae74b0db76763c6caa49cf7d1
-
SHA512
eebf3190b0a0529376e4dbe1b54f40880f7a8b7d93dfebc8c3a09184ccc9a867b576aafce511701a36d95c1d0b66f1b5179a839056e401189270e46370d285e6
-
SSDEEP
768:lY3D69hWXxyFcxovUKUJuROprXtwNheYhYbmXxrjEtCdnl2pi1Rz4Rk30sGdpPgM:I6TWhIUKcuOJ2PhBjEwzGi1dDMDPgS
Score8/10-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-