njrat | 2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad | Triage

Sharing

General

Target

2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad
Size

9.8MB
Sample

230129-ygkxcsbc83
MD5

fd86b6c98d65c9d38322424386034c81
SHA1

9c548ab70e4d4f18e92b5cdd62c909c58f5e9b66
SHA256

2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad
SHA512

6eed4fdb7b3c5896ffa93a20671e36068258425e2ac29edcedfd2638a2ea7a16b302ac8e91a91ef3061355ea1c0e154976476d1ea9d15409fe830cebf31a2f12
SSDEEP

196608:6C86m9+NO3mj55jt28jBDpOGce1rjUhz+XshT3olw39xPis5BskMoiE:6C86SMO3iDhBU5hT3o239xqo

Score

10^/10

njrat quasar defender hacked persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.6.0.0

Botnet

defender

C2

20.82.128.5:4444

Mutex

HkuL6QRMZaTdYNlEJY

Attributes

encryption_key
auS4Dqyt2zp1gKolism7
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
C:\Users\neilish\Desktop\rat

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

20.199.40.163:4444

Mutex

Launcher

Attributes

reg_key
Launcher
splitter
|-F-|

Targets

- Target
  
  2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad
- Size
  
  9.8MB
- MD5
  
  fd86b6c98d65c9d38322424386034c81
- SHA1
  
  9c548ab70e4d4f18e92b5cdd62c909c58f5e9b66
- SHA256
  
  2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad
- SHA512
  
  6eed4fdb7b3c5896ffa93a20671e36068258425e2ac29edcedfd2638a2ea7a16b302ac8e91a91ef3061355ea1c0e154976476d1ea9d15409fe830cebf31a2f12
- SSDEEP
  
  196608:6C86m9+NO3mj55jt28jBDpOGce1rjUhz+XshT3olw39xPis5BskMoiE:6C86SMO3iDhBU5hT3o239xqo
Score

10^/10

njrat quasar defender hacked persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratquasardefenderhackedpersistencespywaretrojan

behavioral2

njratquasardefenderhackedpersistencespywaretrojan