General
-
Target
wpcheck1915.exe
-
Size
9.5MB
-
Sample
240623-wpt4wssbnq
-
MD5
86f8cb334d0d33a4a279b2c49f094ff6
-
SHA1
baf3c9c3f6dfbf68eea3d54f199df9c735b846cf
-
SHA256
a10b43a2c8d651a7a1519547ea09050dcfd2e6fcbf7a968b8e8aef64f97a55d3
-
SHA512
4270ef74475becc38b539abce86a0a8153c17931cc3fe855751c7e10a9438fa1c9cf8607a3f5062e3d7776a8839cea22a3366acac2cf166bbe4d39f132ed8985
-
SSDEEP
196608:hu7T2nZO7IywXOdfYquRQrhq06Cs/3p8zQOK9w6mMIV0A18LQOB:Mn247JuOuD0Pkqsw6PK518LQW
Malware Config
Extracted
https://hjhhhsfdghsjfghghdbfjksjfgdhgfjksghjkshf34tjhjkdsdjghsjkhg.000webhostapp.com/Att.jpg
Extracted
njrat
Platinum
EGYSTUB
127.0.0.1:7077
System.exe
-
reg_key
System.exe
-
splitter
|Ghost|
Targets
-
-
Target
wpcheck1915.exe
-
Size
9.5MB
-
MD5
86f8cb334d0d33a4a279b2c49f094ff6
-
SHA1
baf3c9c3f6dfbf68eea3d54f199df9c735b846cf
-
SHA256
a10b43a2c8d651a7a1519547ea09050dcfd2e6fcbf7a968b8e8aef64f97a55d3
-
SHA512
4270ef74475becc38b539abce86a0a8153c17931cc3fe855751c7e10a9438fa1c9cf8607a3f5062e3d7776a8839cea22a3366acac2cf166bbe4d39f132ed8985
-
SSDEEP
196608:hu7T2nZO7IywXOdfYquRQrhq06Cs/3p8zQOK9w6mMIV0A18LQOB:Mn247JuOuD0Pkqsw6PK518LQW
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-