njrat | df15669f7f948abd95d1a4c326aa0443f0cc534513b253accff8bd2549a3f3dc

General

Target

DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe
Size

451KB
Sample

230321-en3wzagg29
MD5

8eb05c68a5880d8f15fa787b02192709
SHA1

45813931de14ac2f4f66d412caf9cf6fd236c5c5
SHA256

df15669f7f948abd95d1a4c326aa0443f0cc534513b253accff8bd2549a3f3dc
SHA512

231d122c647684386399ebe117189f1d784f89ae127fb41a061b6d43bec94c7d9cda0f13b6a4ad7f1ad233177f9df43a11c6040180653bf592ee39d3e74708b3
SSDEEP

12288:BjKiWwykMpBMs3qLVmNwCIWaONK6ezkf4BBe/wKA3JIOb2:Bj5bMpf6L2wzWnW38zA3Zi

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://files.catbox.moe/hw5nal.jpg

Extracted

Family

njrat

Version

0.7d

Botnet

ofiss

C2

ofi.dyn.ydns.io:5553

Mutex

cde55e52fb830e966551ebb867b911f6

Attributes

reg_key
cde55e52fb830e966551ebb867b911f6
splitter
|'|'|

Extracted

Family

wshrat

C2

http://ofi.dyn.ydns.io:8000

Targets

- Target
  
  DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe
- Size
  
  451KB
- MD5
  
  8eb05c68a5880d8f15fa787b02192709
- SHA1
  
  45813931de14ac2f4f66d412caf9cf6fd236c5c5
- SHA256
  
  df15669f7f948abd95d1a4c326aa0443f0cc534513b253accff8bd2549a3f3dc
- SHA512
  
  231d122c647684386399ebe117189f1d784f89ae127fb41a061b6d43bec94c7d9cda0f13b6a4ad7f1ad233177f9df43a11c6040180653bf592ee39d3e74708b3
- SSDEEP
  
  12288:BjKiWwykMpBMs3qLVmNwCIWaONK6ezkf4BBe/wKA3JIOb2:Bj5bMpf6L2wzWnW38zA3Zi
Score

10^/10

persistence njrat wshrat ofiss trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

WSHRAT

njRAT/Bladabindi

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2