njrat | 8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651

General

Target

8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
Size

102KB
Sample

221128-m7r8kshd93
MD5

b04423987d7a01ca1bf5b1f8f2b77b0c
SHA1

6468823f6da30059a2750cf2b4599fdb8e450f05
SHA256

8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
SHA512

c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
SSDEEP

1536:TcTbDj6OLC73ybzlr6kI+KEBXiI40n6aDnOae98fAaMGSSpvvKet2Hbq86Dm:TcX6OWqzlUUBSpE6aDOOvvNtP86Dm

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

nEwHacKed

C2

slowburn.linkpc.net:6760

Mutex

a5e14c6feeac7389fad3a06801dddd4f

Attributes

reg_key
a5e14c6feeac7389fad3a06801dddd4f
splitter
|'|'|

Extracted

Family

pony

C2

http://slow1234.serveftp.com/duos/gate.php

Targets

- Target
  
  8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
- Size
  
  102KB
- MD5
  
  b04423987d7a01ca1bf5b1f8f2b77b0c
- SHA1
  
  6468823f6da30059a2750cf2b4599fdb8e450f05
- SHA256
  
  8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
- SHA512
  
  c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
- SSDEEP
  
  1536:TcTbDj6OLC73ybzlr6kI+KEBXiI40n6aDnOae98fAaMGSSpvvKet2Hbq86Dm:TcX6OWqzlUUBSpE6aDOOvvNtP86Dm
Score

10^/10

njrat pony newhacked collection discovery evasion persistence rat spyware stealer trojan upx
- Modifies WinLogon for persistence
  persistence
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2