General
-
Target
7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47
-
Size
6.3MB
-
Sample
240917-g9sdgayflh
-
MD5
a2fc1e0d85da197a26203e22bdd1b5a2
-
SHA1
4c2f2158f440347a0f722cd81eb806e28481b868
-
SHA256
7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47
-
SHA512
6781742683061f15e74d6a62b16102dde83cafe1aa6f349e1ecec305dd3a72ea043709a19ec435a749e506efb4d93e82ea5ee620bfe60024a5782550eb7f8745
-
SSDEEP
196608:d98omomtNNy/aJF3Jf7KQrNIdaBtlCJNfx2944bl465o:d98omvMKZmQagtU0N465o
Malware Config
Extracted
njrat
0.7d
Low3n
192.168.100.58:443
192.168.42.7:443
e4c7f2e5b82fac0d624ab661f39b28fa
-
reg_key
e4c7f2e5b82fac0d624ab661f39b28fa
-
splitter
|'|'|
Extracted
njrat
0.7d
HacKed
127.0.0.1:1177
104.238.137.213:5552
192.168.89.1:1177
192.168.1.5:666
myhotkkk444.duckdns.org:4444
JohnRicardomilos-33746.portmap.io:1605
127.0.0.1:5552
192.168.56.1:5552
shytanoff.ddns.net:1177
127.0.0.1:2020
192.168.0.27:4444
shytangz12.ddns.net:1177
dalpzy.ddns.net:1085
updatesystemtool.ddns.net:1337
jhonjhon4842.ddns.net:1177
192.168.1.16:5552
fidapeste.duckdns.org:5552
harris974.ddns.net:4444
127.0.0.1:4789
bo6y1.hopto.org:1609
aeeb7a2903c8c537463f288bcc5eed2e
-
reg_key
aeeb7a2903c8c537463f288bcc5eed2e
-
splitter
|'|'|
Extracted
asyncrat
0.5.6A
null
127.0.0.1:9040
bomi.duckdns.org:8080
192.168.1.7:8080
jhonjhon4842.ddns.net:6606
jhonjhon4842.ddns.net:3389
denemeiso1.duckdns.org:5060
sam144169-56334.portmap.io:56334
sam144169-56334.portmap.io:5552
sam144169-56334.portmap.io:5050
webforma.chickenkiller.com:56334
webforma.chickenkiller.com:5552
webforma.chickenkiller.com:5050
webdata.ddns.net:56334
webdata.ddns.net:5552
webdata.ddns.net:5050
62.108.37.42:8808
noregisterdomain.zapto.org:9040
82.84.85.59:1608
number2.duckdns.org:6606
number2.duckdns.org:7707
ertretythhrrthttrhth
-
delay
5
-
install
false
-
install_folder
%AppData%
Extracted
darkcomet
hacked
sexystar.myq-see.com:5552
DC_MUTEX-6BSXQXU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1JlJEAuNqqm6
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
darkcomet
Mikel_04
ventoclima.hopto.org:8678
DC_MUTEX-J9C4X34
-
InstallPath
Temp\Taskmgrk.exe
-
gencode
mn82vWE9luVq
-
install
true
-
offline_keylogger
true
-
password
Mikel2019
-
persistence
true
-
reg_key
taskmgrk
Extracted
darkcomet
Mikel50
ventoclima.hopto.org:58589
DC_MUTEX-1M2MJNL
-
InstallPath
temp\taskmgrk.exe
-
gencode
n7v7WtYPsejG
-
install
true
-
offline_keylogger
true
-
password
Mikel2019
-
persistence
false
-
reg_key
taskmgrk
Extracted
njrat
Hallaj PRO Rat [Fixed]
HacKed
127.0.0.1:5552
984559f52d4087243e95e5ad9bb48e8d
-
reg_key
984559f52d4087243e95e5ad9bb48e8d
-
splitter
boolLove
Extracted
asyncrat
0.5.5A
null
192.168.1.9:8080
jsdmhpiwkzhk
-
delay
5
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.0.0
Infected
noinmy.ddns.net:9999
BW7JOTpOU1me7DhAhz
-
encryption_key
cuGnTFdzZchzOboCjJyu
-
install_name
dashost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WinServe
-
subdirectory
DAF
Extracted
revengerat
Guest
127.0.0.1:2302
127.0.0.1:1604
rdp2.dgsn.fr:213
jasonbrody2019.hopto.org:5555
tzii.myq-see.com:888
127.0.0.1:90
127.0.0.1:5555
memo445.ddns.net:1337
192.168.234.157:4444
192.168.197.128:1337
192.168.1.2:333
174.127.99.217:1016
193.161.193.99:8888
193.161.193.99:57904
RV_MUTEX
Extracted
revengerat
LimeRevenge
3f4-8b13-1cf6666e4149
Extracted
njrat
0.7d
B HAT
cd1f49ff557041b28396a032e2b161ee
-
reg_key
cd1f49ff557041b28396a032e2b161ee
-
splitter
|'|'|
Extracted
njrat
0.7d
NYAN CAT
127.0.0.1:5552
64dfa84fd6a14d54bb5da02b3d38a087
-
reg_key
64dfa84fd6a14d54bb5da02b3d38a087
-
splitter
|'|'|
Extracted
njrat
0.7NC
NYAN CAT
127.0.0.1:9045
127.0.0.1:8080
192.168.1.7:8080
159.65.15.187:5552
127.0.0.1:5552
unregisteredhost.dynu.net:9045
omnibeees.ddns.com.br:5552
winddns.publicvm.com:5552
whoisdomain.zapto.org:9045
13f63b20924948f
-
reg_key
13f63b20924948f
-
splitter
@!#&^%$
Extracted
njrat
0.7d
Test Bypass cho down load
127.0.0.1:1234
165d6ed988ac
-
reg_key
165d6ed988ac
-
splitter
|'|'|
Extracted
quasar
1.3.0.0
VN333
billythesailor.ddns.net:4782
billythesailor.ddns.net:4707
billythesailor.ddns.net:4708
QSR_MUTEX_EZD0hpIqeXmWmfSZR5
-
encryption_key
6dtdGsEtLLsDNKEXgV4zSrTRpfxT2qGQ
-
install_name
Windows Startup Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Startup Service
-
subdirectory
SubDir
Extracted
limerat
bc1quugyyqeyjw9z2qdetazwpp6jfpdqnscxj3jxgq
-
aes_key
123
-
antivm
false
-
c2_url
https://pastebin.com/raw/zVbipP9N
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
remcos
Host
127.0.0.1:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_vruzvedwdwvizfq
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
njrat
Visual Studio
d72f69dfb2e45fb7b2acbc62f8219a16
-
reg_key
d72f69dfb2e45fb7b2acbc62f8219a16
Extracted
njrat
0.6.4
HacKed
192.168.1.2:1177
ghassan2019.ddns.net:1177
127.0.0.1:1177
192.168.1.11:1337
43.229.151.171:1177
43.229.151.191:1177
103.82.249.74:5552
memo445.ddns.net:5552
saleh200.hopto.org:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Extracted
njrat
0.7d
MyBot
127.0.0.1:8080
1.243.157.185:6522
9e549438c56317b24cd87c987b694da8
-
reg_key
9e549438c56317b24cd87c987b694da8
-
splitter
Y262SUCZ4UJJ
Extracted
njrat
0.6.4
YourPhone
157.245.220.192:1177
bec01544ef6b0bb361f68d796213ad70
-
reg_key
bec01544ef6b0bb361f68d796213ad70
-
splitter
|'|'|
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKeD
85:85
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
YourPhone
be7a6446994c64053a860ca10a12ce1e
-
reg_key
be7a6446994c64053a860ca10a12ce1e
Extracted
njrat
0.7d
required installation
uxnr.ddns.net:7144
a2d1b1b05cb0b58cf6e21aefb30df1db
-
reg_key
a2d1b1b05cb0b58cf6e21aefb30df1db
-
splitter
|'|'|
Extracted
njrat
Person_Anonymous
b48bd383056441b474989fb5582a172b
-
reg_key
b48bd383056441b474989fb5582a172b
Extracted
njrat
Hacked By HiDDen PerSOn
687a11c6212507fa992aa1644b336ef5
-
reg_key
687a11c6212507fa992aa1644b336ef5
Extracted
njrat
im523
HacKed By KiLLeR
killerfo2.ddns.net:1177
killerfo22.ddns.net:1177
61e53fca4b50eaee89f696351aed3589
-
reg_key
61e53fca4b50eaee89f696351aed3589
-
splitter
|'|'|
Extracted
njrat
im523
HacKed
127.0.0.1:5552
yano.ddns.net:1605
84.217.125.142:80
127.0.0.1:35855
hostnj.ddns.net:1177
7d6d30a897de0ce8a1f25f71e40d0c4d
-
reg_key
7d6d30a897de0ce8a1f25f71e40d0c4d
-
splitter
|'|'|
Extracted
njrat
0.7d
client
akamaru.ddns.net:1605
netcatclink.ddns.net:4444
aa15bd929c7132fe8f63fd4d0ae48d6c
-
reg_key
aa15bd929c7132fe8f63fd4d0ae48d6c
-
splitter
|'|'|
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
192.168.234.154:5555
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
0.7d
Test
10.10.10.25:2525
2cf8612501da0a1a00fe5c300206e7a5
-
reg_key
2cf8612501da0a1a00fe5c300206e7a5
-
splitter
|'|'|
Extracted
njrat
im523
bustabit
wogusnn.ddns.net:5553
d963ad78fcad26750b040b7fff9e4835
-
reg_key
d963ad78fcad26750b040b7fff9e4835
-
splitter
|'|'|
Extracted
njrat
im523
HacKed PUBG
cantburn.hopto.org:1177
7b5444a8f8ca9a359aadb891c7e9f01b
-
reg_key
7b5444a8f8ca9a359aadb891c7e9f01b
-
splitter
|'|'|
Extracted
njrat
0.7d
HHHXXX
black101.ddns.net:1177
c7c947d665980e197b736d98adf01cc0
-
reg_key
c7c947d665980e197b736d98adf01cc0
-
splitter
|'|'|
Extracted
njrat
Kjh
마인크래프트
14.46.160.76:5552
06d63ada0dc02c6a44ed3c3fc5c89d83
-
reg_key
06d63ada0dc02c6a44ed3c3fc5c89d83
-
splitter
|'|'|
Extracted
njrat
0.7d
HacKed
x014.hopto.org:4444
192.168.1.16:4444
Windows Update
-
reg_key
Windows Update
-
splitter
|'|'|
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
Kulum
34.89.221.19:4444
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
0.7d
45.76.29.16:5552
738e6a0cd25e647b7eb7d6cdad689401
-
reg_key
738e6a0cd25e647b7eb7d6cdad689401
-
splitter
|'|'|
Extracted
njrat
0.7d
Pubg Mobile
Owais5050-61656.portmap.io:56607
6cd2713f4eecf0bba2b136a5ea65aac1
-
reg_key
6cd2713f4eecf0bba2b136a5ea65aac1
-
splitter
|'|'|
Extracted
njrat
0.7d
pinatanai
159.65.15.187:5555
ca60c420c99495343bf4e523a6b382cc
-
reg_key
ca60c420c99495343bf4e523a6b382cc
-
splitter
|'|'|
Extracted
njrat
0.7d
deme
192.168.1.34:4444
4a511581dfdc310e4c48feb89e0695f4
-
reg_key
4a511581dfdc310e4c48feb89e0695f4
-
splitter
Y262SUCZ4UJJ
Extracted
njrat
Kjh
HacKed
180.230.116.72:5552
8e3709de950aab92ac1a166058ff0595
-
reg_key
8e3709de950aab92ac1a166058ff0595
-
splitter
|'|'|
Extracted
njrat
0.6.4
Person
127.0.0.1:456
dae31c02cb06222e776b9ccb9207edb1
-
reg_key
dae31c02cb06222e776b9ccb9207edb1
-
splitter
|'|'|
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
gariban
rothilione-41041.portmap.io:41041
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
2020/
cad6ec042b06ac31e129fbc8d13eabe6
-
reg_key
cad6ec042b06ac31e129fbc8d13eabe6
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
34234234
146.158.107.225:8408
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
SAD NIGGA HOURS
06ba6a3d895af3b2b6823852ec271c67
-
reg_key
06ba6a3d895af3b2b6823852ec271c67
Extracted
njrat
0.7.3
Lime
195.222.172.238:5228
svchost.exe
-
reg_key
svchost.exe
-
splitter
njrat
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
topher
tolga182-49359.portmap.host:1604
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
Hacked
19398dcbfdab92aeb0734478a2451d20
-
reg_key
19398dcbfdab92aeb0734478a2451d20
Extracted
njrat
roby
4bda69d82f2ad26800386604df9bc3de
-
reg_key
4bda69d82f2ad26800386604df9bc3de
Extracted
njrat
0.7d
victime
tutoratderz.ddns.net:5552
tutoratderz.ddns.net:1605
61f6d5680d79146f1177cacbfc3022ce
-
reg_key
61f6d5680d79146f1177cacbfc3022ce
-
splitter
|'|'|
Extracted
revengerat
NyanCatRevenge
127.0.0.1:333
NOREGISTERDOMAIN.ZAPTO.ORG:9045
helpdeskcamfrog.ddns.net:2222
3030pp.hopto.org:1000
r3dc0d3r.duckdns.org:12301
toloro.duckdns.org:5555
fullcdt.hopto.org:333
sensual2020.ddns.net:3000
192.168.1.2:2222
alien007.my-firewall.org:8080
cuenta.hopto.org:5214
2cc2152a0871
Extracted
revengerat
R A D
KevinDavis-58161.portmap.host:58161
192.168.1.112:4444
kevindavis-58161.portmap.host:58161
RV_MUTEX
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
quasar
1.3.0.0
Office04
al3nzii.myq-see.com:4782
hoba7be.ddns.net:4782
127.0.0.1:2323
149.28.201.253:4782
192.168.2.9:1783
86.93.121.149:1783
192.168.234.157:1234
127.0.0.1:4782
192.168.1.100:4800
QSR_MUTEX_QSMxTkfFj770mwaMaj
-
encryption_key
zunmXxOhff9hBVcOIy8a
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows
-
subdirectory
SubDir
Extracted
quasar
1.3.0.0
Kurban
gameranil88-34655.portmap.io:34655
QSR_MUTEX_Mq8fSFRilMUG89GjSc
-
encryption_key
wE4B3JaW3vEUIIrvszcF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
WindowsUptade
-
subdirectory
SubDir
Extracted
quasar
1.3.0.0
Force One
umcarasozinho.giize.com:5552
QSR_MUTEX_rXuzhrms6m5Gx0d0lk
-
encryption_key
2yzv2TDIqCeGLodEWuqz
-
install_name
systemhelper.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
systemhelper
-
subdirectory
SubDir
Extracted
quasar
1.3.0.0
New
ipaf3.sytes.net:5353
ipaf4.sytes.net:5353
QSR_MUTEX_IRT4UgcGhk975OVXdn
-
encryption_key
AWkTsOYsl9wIkH8LUfG4
-
install_name
Driver.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Drivers
-
subdirectory
Drivers
Extracted
quasar
1.3.0.0
CoDer
skypeprocesshost.ddns.com.br:4782
workwinrarhost.ddns.com.br:4782
office.minhaempresa.tv:4782
authy.winconnection.net:4782
QSR_MUTEX_waaDBjBTwvE4jQF1CY
-
encryption_key
syxdBvDrFCjAln3AxGRZ
-
install_name
0ffice.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
msg
-
subdirectory
Office
Extracted
quasar
1.3.0.0
Ps
45.74.53.124:4782
s5v8y/B?E(H+MbQeThWmZq3t6w9z$C&F)J@NcRfUjXn2r5u7x!A%D*G-KaPdSgV
-
encryption_key
sEybIz3EK3xXIpG2z1h2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
0
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.3.0.0
Force One PC MASTER
apenasumcarasozinho.hopto.org:5552
QSR_MUTEX_HqC3bVY0FTFbgxQirr
-
encryption_key
5RhS5uBxvlwTtS4KFhfw
-
install_name
systemHelper.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
systemhelper
-
subdirectory
SubDir
Extracted
nanocore
1.2.2.0
uniformmm.ddns.net:1543
127.0.0.1:1543
spowpow12.hopto.org:5678
127.0.0.1:5678
127.0.0.1:54984
192.168.1.16:54984
ahmedt.duckdns.org:113
ghfsquad.duckdns.org:8192
ludwigh.duckdns.org:8192
jhonjhon4842.ddns.net:53896
jemoederspow.ddns.net:5678
192.168.0.129:54984
8c89a093-5ac7-424e-8c76-2e80c157bade
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-10-14T14:42:04.641145036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1543
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8c89a093-5ac7-424e-8c76-2e80c157bade
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
uniformmm.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.7d
Downloading
console-wifi.ddns.net:5552
3dfad3bbc7bad1562c683adfee1a8e48
-
reg_key
3dfad3bbc7bad1562c683adfee1a8e48
-
splitter
|'|'|
Extracted
njrat
0.7d
RECUP NOIP
9292.ddns.net:10140
1f0c56d11a4a44433acf4728c597fd66
-
reg_key
1f0c56d11a4a44433acf4728c597fd66
-
splitter
|'|'|
Extracted
njrat
0.7d
내따꽈리
asdgdcvxzcv.kro.kr:2222
651deda00b27ab86d974483926aa2300
-
reg_key
651deda00b27ab86d974483926aa2300
-
splitter
|'|'|
Extracted
njrat
0.7d
NEW
sharrych.ddns.net:5556
723520b640cb39476dbbd3d566c664da
-
reg_key
723520b640cb39476dbbd3d566c664da
-
splitter
|'|'|
Extracted
njrat
0.6.4
clienta
achraf4.ddns.net:4500
59d56b3983b444c86e2da951d0302f3b
-
reg_key
59d56b3983b444c86e2da951d0302f3b
-
splitter
|'|'|
Extracted
warzonerat
tresor2020.ddns.net:2020
178.238.8.111:2626
Extracted
cybergate
v1.07.5
remote
127.0.0.1:999
127.0.0.1:81
0Y7117LDCV0730
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
bazaar.2020.02/Backdoor.MSIL.Agent.jdt-72fd107044ae159a7a80813fe902a132f12eedd01c63fd9e506cf05e088e7491
-
Size
89KB
-
MD5
f54eea2b9a7c0259b87a5303a526d818
-
SHA1
641fcc96b0e288f7c5b1d0b94d6be1be2939e38e
-
SHA256
72fd107044ae159a7a80813fe902a132f12eedd01c63fd9e506cf05e088e7491
-
SHA512
36d1fb8553f454b1edbd719d4805e3d120b243960fb82ff640e52e3d3c9710a8761128079f981da011ad931c1117c0d7317f051bd4fd71a5bad93b7862dafde5
-
SSDEEP
384:W8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZVPe+8tp:AY+sNKqNHnSdRpcnu+REgTK
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
bazaar.2020.02/Backdoor.MSIL.Agent.jdt-aa918b196328f1fe341b5b48cb5d28f31a94b92b279fcf36baaea55a0a8886f1
-
Size
23KB
-
MD5
a5c91c0df00109626c011eb185e94138
-
SHA1
d79d3612639318cf0e9d8fedd9529dd1017863b5
-
SHA256
aa918b196328f1fe341b5b48cb5d28f31a94b92b279fcf36baaea55a0a8886f1
-
SHA512
65d929307e1266ec6bf40e8b979e39a1ac867c27f094a4e987e469a176819e4efb6904826f57938be993a5c9b674b0ee440b4f62d9254f6cffd43f4787efadf9
-
SSDEEP
384:n8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZPb6:rY+sNKqNHnSdRpcnug6
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
bazaar.2020.02/Backdoor.MSIL.Crysan.acs-d8e091f7e30656be6ba24890a96982b3a9def6123597c0b5ea740f8560ce45c1
-
Size
46KB
-
MD5
1aaf59f55909d4a71e391fe83ab33646
-
SHA1
6087fb94d8e84397f52b433f6d4593a8351d5649
-
SHA256
d8e091f7e30656be6ba24890a96982b3a9def6123597c0b5ea740f8560ce45c1
-
SHA512
300b5ea3f87f468db10fd28cee729cac80fd59441420e446e5c8336d3e62d0d9f8e88a62f7be55bd47b6422da9c9242a8663bf98bcfc929d15ad94fa7ecac76b
-
SSDEEP
768:bqXwHbXXUIbphkOicvHk3eHlWMPbPgF0qp9NwEBNYFVYI6OCy2tYcFmVc6K:b5bphXvZH0ub4FrDNZBNqz6O3KmVcl
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
bazaar.2020.02/Backdoor.Win32.DarkKomet.aagt-4c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
-
Size
251KB
-
MD5
b7b88850bc66c349bc02f81a3b443f39
-
SHA1
4c4fe6f2dc874ca6c3b1d117e8da00e7114860e0
-
SHA256
4c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
-
SHA512
47c7cd05d6716eaefc1a4305f227e9f95423ede5bb991135d6839c0d1f4b65d7c204bc9c07696ec5d4f71214adc4d6b0976d2fe03d2434e68fd8637a40dad282
-
SSDEEP
6144:QcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:QcW7KEZlPzCy37
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
-
-
Target
bazaar.2020.02/Backdoor.Win32.Delf.aecw-a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
-
Size
253KB
-
MD5
94d715c76354182482dcc8fb446a1be7
-
SHA1
3d6497669c371e33c2e4055f9eb8c00dc5104387
-
SHA256
a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
-
SHA512
e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
-
SSDEEP
6144:nD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZbNW:nl8E4w5huat7UovONzbXwg
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies security service
-
Windows security bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
bazaar.2020.02/Backdoor.Win32.Delf.aecw-fa3981228b5b124a8b51fa64f8b6d5d05899165647dc50322b717d7ab63d4997
-
Size
350KB
-
MD5
7705cbb21d01877e944fda88286ac48a
-
SHA1
c994c00fbd6b935f963be4bd548a202bda50cb07
-
SHA256
fa3981228b5b124a8b51fa64f8b6d5d05899165647dc50322b717d7ab63d4997
-
SHA512
88cf000b606ea0f7d8ef12da9b9a609468e674c37af679f15ae37ddc5fa416319d739d99ce139436d5ff3da3d00f15343be5f4bcc19beb3d06c92d550f0d9345
-
SSDEEP
6144:WD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZODavMMV3:Wl8E4w5huat7UovONzbXwtEMV
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
bazaar.2020.02/Backdoor.Win32.Parazit.aw-4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88
-
Size
48KB
-
MD5
d52448cb39e67d27dae28f60906affcc
-
SHA1
803c032ddeb9bcb46d828cf6bdc989d1a25cc660
-
SHA256
4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88
-
SHA512
f5b9ada70e56f1e95dce6b95a612bf1ebef301be79328b802a7bce1e225ba78eabbaf825d8153215460625c1e6432add972f9c597a9d318973338a1a7895740d
-
SSDEEP
768:ULvM+2O7Gel5quISq41ET8n7efFKuaAu4ycpV0byA8Bw4/xv5fS5:cCvel5HnqDY6f4vBcpsraW
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.gen-0eb3ab9e4c6bc5903674d8f9b36a1a59825fa4e1c2d7209be4d7a0c16dc6168f
-
Size
23KB
-
MD5
f2e6febd5ac77954b3c8f460d5fa2598
-
SHA1
7d7cffc86d330242f7f966d24dfd0605e2d21a23
-
SHA256
0eb3ab9e4c6bc5903674d8f9b36a1a59825fa4e1c2d7209be4d7a0c16dc6168f
-
SHA512
68c92f47c337904aa58b3c64a0d3513e005e48bb0b9b0cd90b30cb2c31be6b54e1ba3a961af7f3370cc6fbb38ea66bde91d509988023f5d0912420fa6800b135
-
SSDEEP
384:xMsmCsg/EJHOzt+Z7SS1BEd1ng6Jgf24tfZVmRvR6JZlbw8hqIusZzZF/:trEi01jyRpcnuS
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-0a276fdaf3367ca3fd4cf90eb338dd3d0575ba3979f1bd609ce58e13e2aa0a8e
-
Size
46KB
-
MD5
b36ed4b297c327eb67746e85fe4434f4
-
SHA1
7f24843a465e1e811b82a79ced5b071f7350155b
-
SHA256
0a276fdaf3367ca3fd4cf90eb338dd3d0575ba3979f1bd609ce58e13e2aa0a8e
-
SHA512
d7002fcabec0e34f5200df23e1ba2b9b840ed502f7b22da9c231613092aa853d8fa1b76b6e934947c13ffbfab5ba49be1c057944c726f9b9cb565470c22c2cbf
-
SSDEEP
768:YCqJlzbXvMdSXekOicvHk3eHlWMPbPgF0qV1ZGF4G1Pc1pBSDHLw5YI6OC22tYch:YCjCeXvZH0ub4Fr/ZUdW1/uHL06O7Kme
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-0e7c56b00281e18e385042a28f0e6202fbe39f3cdb219d17489799fca09b6550
-
Size
46KB
-
MD5
36959ff8dbe435a6d48ca9c3c6699a27
-
SHA1
55ebd85589544886920b51779d36336f38ea9781
-
SHA256
0e7c56b00281e18e385042a28f0e6202fbe39f3cdb219d17489799fca09b6550
-
SHA512
42207753bdbd3821532685fa5870384ac4fa450baeacc99e5764401caba94e41b0df0ee0bd85ad597176902db20ccc6d93d47243300bb3d128adf26fc31df758
-
SSDEEP
768:9qXrebXXEF5STUkOicvHk3eHlWMPbPgF0qtL+A03byeRThjYI6OC32tYcFmVc6K:9Y5STUXvZH0ub4FrtL+A03RTht6OyKme
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-0eeb561ea16bf80e301847add0363445976f5ab518d23e499cbf1f7ce9e6fc59
-
Size
46KB
-
MD5
34dd1859e3b572cb15c85c7255d1a2dd
-
SHA1
76f166cef6f5a11d45e5d0cbc53c40b8e89ccb73
-
SHA256
0eeb561ea16bf80e301847add0363445976f5ab518d23e499cbf1f7ce9e6fc59
-
SHA512
2373268b5da51e3f8ca0eb6f8fefa5e801c7c4494944296cf1ab4df7c9f5c274cb6a6ae3ef972ddb065d078d0954324a3651ade4f7725ff71e474958e2932b90
-
SSDEEP
768:o+qb/VbXngXB6XqkOicvHk3eHlWMPbPgF0qk86nFVS3pALZtYI6OCq2tYcFmVc6K:o+joaXvZH0ub4FrktFVS3pid6O/KmVcl
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-0f268e9be95d203c8d5cfa33d50ad7f623f13746bd97ec24703959dc08d97a9b
-
Size
46KB
-
MD5
305a2bab3acfb2a2ddc57f06a4b64471
-
SHA1
357f18e24572b55b6270db3485f39b3a06278fd7
-
SHA256
0f268e9be95d203c8d5cfa33d50ad7f623f13746bd97ec24703959dc08d97a9b
-
SHA512
49be514325a15e7e132a98309f8645083d30d23ba4fb05b6487f691c3ee1336dd007d88b2ea644875b96bc8d725792c341ccf062485099a5e7243084e19e7b82
-
SSDEEP
768:xqYVNZJrbXvkjjVKLUSQ1PkOicvHk3eHlWMPbPgF0qR55nhbej574rYI6OCu2tY:xkjV2UdXvZH0ub4Frddejx4l6ODKmVcn
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-2b70dd97d36efbbadd5f63afc22e28dc53d26302bae846b4f4e49e27cf95a70f
-
Size
110KB
-
MD5
8944e61729e65362b848dcc0268e9ddf
-
SHA1
b29fd4c60f312d89ee4d87deb2e0a72e7384d8db
-
SHA256
2b70dd97d36efbbadd5f63afc22e28dc53d26302bae846b4f4e49e27cf95a70f
-
SHA512
dc50237c10e07f708125e27da1206caa9051b06e55ff0c7dadf4d7ddad3ef1580a91c9d2fdcf48c4e57101ab5ee9574a515a062e704205b5339c4e8e6ea0298f
-
SSDEEP
1536:FZ3ObRIV3YMZQNbmrC5ByUv6OthlDevOpzLNWQh2QIsexEFHk15Z4vh6fNzxF0gd:FobRIVtZQNbm2fyaosrU8UZ4vQfp10z
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-4ece7a3cd6313c022ce3d30028a8af4f4f4da6a35efcddb8136b4bb5520fdb21
-
Size
79KB
-
MD5
e9e80e0e30405fa4d559d5303c72bf8e
-
SHA1
b6f3e43efc6ad94f87a36d25d4aa9f495a3af0f7
-
SHA256
4ece7a3cd6313c022ce3d30028a8af4f4f4da6a35efcddb8136b4bb5520fdb21
-
SHA512
ceba55d8cd62855d1254257f2c250150b3e08edf0260b907e80b45b5b2891bd9185d0290b945314fcf04c047bcbe1b94eb8a4f753cc7ee1b51575c1afd093215
-
SSDEEP
1536:3VZUzbOcyyPYvkx1ocD6v4cUqBYZDZ1bXgYqEiR3DY3:lZOtx1ocDncxYZl1bXgFEipDy
Score1/10 -
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
-
Size
46KB
-
MD5
ceef7b8296b733da0be864ccdf41ce77
-
SHA1
c66de07f66ace03ef1e140c8e46525c27df94b04
-
SHA256
5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
-
SHA512
62241a9b37933edd4c751316c9cc8a8b195766d81baab7d5b2ef3a532c464e6d76fe9d781ac94c1aff587052a3d9e18478e509e51313656bc2db2b38df792c70
-
SSDEEP
768:vqdwSbXx6csbXkOicvHk3eHlWMPbPgF0qybI6QolYI6OCC2tYcFmVc6K:vJbXXvZH0ub4FrybI6Qm6OnKmVcl
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.gen-5be5dbcf6753c5607b5c95bf93e71f1d71fcb2c6ff691f949e237bc6df77a34a
-
Size
46KB
-
MD5
b0ccfc015178530287777e5feae9a884
-
SHA1
4b688412891cd85a7dd507134e8d5f7d81163ab9
-
SHA256
5be5dbcf6753c5607b5c95bf93e71f1d71fcb2c6ff691f949e237bc6df77a34a
-
SHA512
c837315f3481636872bf642729ebcc9b286fb834099ef488dd8f1f4f5cf589b9a8ca18718ff4a14d1c4ff95c33e29239475dace168156125fdaf85da3b737f15
-
SSDEEP
768:8qLytbXZ+uuTkOicvHk3eHlWMPbPgF0qoW/0aYaMtiYI6OC62tYcFmVc6K:8HuTXvZH0ub4FrlMaYaMw6OPKmVcl
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Virtualization/Sandbox Evasion
5