njrat | d91af630cbb6a8c648dfbd18e181fc6b8243e7c8e9bd4fb40045e4711a797b6a | Triage

Submit
Reports

Overview

overview

Static

static

injcetor.exe

windows7-x64

injcetor.exe

windows10-2004-x64

Sharing

General

Target

injcetor.bin.zip
Size

914KB
Sample

220820-hb452sgagq
MD5

6440f1d781cb8634fc75319df46feff7
SHA1

34da1a0340fd4b9409ef1853b12f3219a6dae215
SHA256

d91af630cbb6a8c648dfbd18e181fc6b8243e7c8e9bd4fb40045e4711a797b6a
SHA512

7c60fe08be6baa56a3df2bdbda18b70a2c3e85c2cb9967907e10478a3896d2b90e952a8a45f54833a03974254a8517680a88fad4b31336fe8b08e75ebc2bca73
SSDEEP

24576:2GHAp/tN9oeMVsYwZIgs46AEZ7CWG7RPHkHb4CO:2GHE/HPMtwZy46gh7RPHMDO

Score

10^/10

njrat redline @heatwins hacked infostealer persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

injcetor.exe

Resource

win7-20220812-en

njrat redline @heatwins hacked infostealer persistence spyware trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

injcetor.exe

Resource

win10v2004-20220812-en

njrat redline @heatwins hacked infostealer persistence spyware trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

be09dd19.ddns.net:1337

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Extracted

Family

redline

Botnet

@heatwins

C2

101.99.93.104:80

Attributes

auth_value
17c423c2282427bab2bc1b1703c250bf

Targets

- Target
  
  injcetor.bin
- Size
  
  3.4MB
- MD5
  
  fd1f9974340c428b15e8bf838122326d
- SHA1
  
  c07709c671960f880c568516572b594ad5946029
- SHA256
  
  b2421dc681198079bfa3cae05c63750b3847211ab307051604c5e7e0ca2033a1
- SHA512
  
  647d9cc2d63dae6a4bfcb055b3d82bfae887fe08dfc04de6312f4a9953c64bbb2a16e225e79ee0ce1777676ab9465942e3a165a9d0feb921173858a3b4a10953
- SSDEEP
  
  24576:VQqt82oJ5L4RGVFoQ0C/Q12H0RmAdmR8dG2FAYOcy7qWDLUTk+vJ3UcDS0ScE1k9:BxyqCLQFzB5
Score

10^/10

njrat redline @heatwins hacked infostealer persistence spyware trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Hidden Files and Directories

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

njratredline@heatwinshackedinfostealerpersistencespywaretrojan

behavioral2

njratredline@heatwinshackedinfostealerpersistencespywaretrojan

© 2018-2024

Terms | Privacy