Overview

overview

10

Static

static

3

Morpheus Crypter.exe

windows10-2004-x64

10

Resubmissions

04-06-2023 23:32

230604-3jsr7seb32 8

04-06-2023 23:15

230604-28kmfsef4y 10

04-06-2023 23:14

230604-2757rsea95 3

04-06-2023 23:14

230604-27zpzsea94 3

04-06-2023 23:11

230604-26dfcsea88 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Morpheus Crypter.zip

  • Size

    1.0MB

  • Sample

    230604-28kmfsef4y

  • MD5

    d2061d06219385c6b96b25bf1a099c4c

  • SHA1

    160a5b7c91b771adcb54d83b7a1a424bfddc9662

  • SHA256

    271319b95a4992827b8aa1aef16e9d4bf3074e7e3444c7947881fd2ba4cdb8a0

  • SHA512

    e5cf8ac1625fec16fe2a57ca7b8a57c5e0083ffb556f942f30a8a30b709e282e756fe12f144d7e6f9a1be45c5ceee4387e6dd3cbe4146627fb4a1a36449d7185

  • SSDEEP

    24576:Ed09OIibo0I+CXaRTBdUcnUm9S09zlxRS8LZ/O/Xq:f97ibBd5nU+Umw0rx48JO/6

Score
10/10
imminentnjrathackedevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

165d6ed988ac1dbec1627a1ca9899d84

Attributes
  • reg_key

    165d6ed988ac1dbec1627a1ca9899d84

  • splitter

    |'|'|

Targets

    • Target

      Morpheus Crypter.exe

    • Size

      1.4MB

    • MD5

      1aa43e7d7e2e812792f06312db0757d8

    • SHA1

      606a3060aac710287dd02b36b2999fecb9e67932

    • SHA256

      894041eeb6bf1a9b30e3492c7effef36c7e7fe4c6369f52893ccf12cd01362ff

    • SHA512

      8c148a5627e57e89209c17c96377d74130f3f780008830e0ecf75cff4666701d0521c8f3bcefd44148d564fc26f56ff39e794863d54af899fdcf935dea713121

    • SSDEEP

      24576:ovtzecScg7UdHaebuoXlXNPiCXaRt1CGgJs3bO0Yts0POvlNQFfokUolc8VB/w/c:6tUEaSsf1LgJue0l8/w/c

    Score
    10/10
    imminentnjrathackedevasionpersistencespywarestealertrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks