496e614ee33a8b2c184dabe650687879

PE Executable
|
MD5: 496e614ee33a8b2c184dabe650687879
|
Size: 56.32 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	496e614ee33a8b2c184dabe650687879
Sha1	d2db2d01bd7a084242bcafd2f571e4b3d369d6e3
Sha256	6e6f89821d980d1305a0f7a333e529fdb212b10ffcd8e11c32d9a36f3326458e
Sha384	0e950ae361569f941d951daf1aaa570e8b7644f301b0e219fc59b55efbd98b06ce06e7ced03f9d3041342043590bacfb
Sha512	b937c78bcd888f2717919ac93fc0247c00efbfa767fd9d0f1e6479ac9594e77a4367cd25540562b8d07c79dd64b0202f72b7b3e8ef924d7de3a64b19f680b1c3
SSDeep	1536:5Wv4Dnpe/NoTcwiDESPDJwsNMDkXExI3pmPm:04Dn8ymDRPDJwsNMDkXExI3pm
TLSH	A9432844BFEA4A01E2BD8F3469F655150A34BA63E932EB1F48D168DB53327C58C40FE6

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - njRAT config.

Config. Field0	Value
packet_size [b]	5121
BD [BD]	False
directory [DR]	TEMP
executable_name [EXE]	dllhost.exe
cnc_host [H]	classic-dave.gl.at.ply.gg
is_dir_defined [Idr]	False
Anti_CH	False
is_startup_folder [IsF]	False
USB_SP	False
is_user_reg [Isu]	False
cnc_port [P]	58261
reg_key [RG]	df9849efb0d147ce8dc744bc79ecd4c3
reg_path [sf]	Software\Microsoft\Windows\CurrentVersion\Run
victim_name [VN]	Member
version [VR]	<- NjRAT 0.7d Horror Edition ->
splitter [Y]	Y262SUCZ4UJJ
MSGE	Disabled
MSGT	Themida
MSGB	Sorry, this application cannot run under a Virtual Machine
MSGSYM	vbCritical
OBITO	Disabled
TSKE	Disabled
TSK	Wireshark.exe
KAKASHI	Disabled
AKATSUKI	Disabled
CLEANSWEEP	Disabled
PASTEE	Disabled
PASTEBIN	https://pastebin.com/raw/???
CLIP	null
UAC	Disabled
nowifi	off

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Module Name	Stub.exe
Full Name	Stub.exe
EntryPoint	System.Void j.A::main()
Scope Name	Stub.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v2.0.50727
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Stub
Assembly Version	0.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	539
Main Method	System.Void j.A::main()
Main IL Instruction Count	2
Main IL	call System.Void j.OK::ko() ret <null>
Module Name	Stub.exe
Full Name	Stub.exe
EntryPoint	System.Void j.A::main()
Scope Name	Stub.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v2.0.50727
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Stub
Assembly Version	0.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	539
Main Method	System.Void j.A::main()
Main IL Instruction Count	2
Main IL	call System.Void j.OK::ko() ret <null>

Artefacts

Name0	Value
CnC	classic-dave.gl.at.ply.gg
Port	58261

496e614ee33a8b2c184dabe650687879 (56.32 KB)

File Structure

Characteristics

Malware Configuration - njRAT config.

Config. Field0	Value
packet_size [b]	5121
BD [BD]	False
directory [DR]	TEMP
executable_name [EXE]	dllhost.exe
cnc_host [H]	classic-dave.gl.at.ply.gg
is_dir_defined [Idr]	False
Anti_CH	False
is_startup_folder [IsF]	False
USB_SP	False
is_user_reg [Isu]	False
cnc_port [P]	58261
reg_key [RG]	df9849efb0d147ce8dc744bc79ecd4c3
reg_path [sf]	Software\Microsoft\Windows\CurrentVersion\Run
victim_name [VN]	Member
version [VR]	<- NjRAT 0.7d Horror Edition ->
splitter [Y]	Y262SUCZ4UJJ
MSGE	Disabled
MSGT	Themida
MSGB	Sorry, this application cannot run under a Virtual Machine
MSGSYM	vbCritical
OBITO	Disabled
TSKE	Disabled
TSK	Wireshark.exe
KAKASHI	Disabled
AKATSUKI	Disabled
CLEANSWEEP	Disabled
PASTEE	Disabled
PASTEBIN	https://pastebin.com/raw/???
CLIP	null
UAC	Disabled
nowifi	off

Artefacts

Name0	Value	Location
CnC	classic-dave.gl.at.ply.gg Malicious	496e614ee33a8b2c184dabe650687879
Port	58261 Malicious	496e614ee33a8b2c184dabe650687879

You must be signed in to post a comment.