njrat | 46d0e4f12bd02daa8d9ad95a5d5c2b5b051337cb54c30e0c597f248f513664aa

General

Target

15c4bf2e809aa8681b2f86f321665da9.bin
Size

1014KB
Sample

230605-l5kv2sfh43
MD5

2aae455b0e4dab161ad56a61e5f0f949
SHA1

e5ee29f02215f12116bc70bce9c2acdf2ddcd3aa
SHA256

46d0e4f12bd02daa8d9ad95a5d5c2b5b051337cb54c30e0c597f248f513664aa
SHA512

8cfb4674019c8a563c68613641ce2441de309c27cf2d7ae838483114bb4a438ca04d5b9a3bb396eb594c028fd575590dbeba7693064591974ec3fe63a72601b1
SSDEEP

24576:RXJrNrj74K2NU+ChXAW6+m04oh+e9MsGsFqVq03x://Wmm048+uvgXx

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19046

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

- Target
  
  64713d99bc1ec761ffa35a01599a7c203df4ebce6ab739f45f300b3829b14688.exe
- Size
  
  1.0MB
- MD5
  
  15c4bf2e809aa8681b2f86f321665da9
- SHA1
  
  6e844c04acc105dcbc02c23f5ed1c71fb6daaf00
- SHA256
  
  64713d99bc1ec761ffa35a01599a7c203df4ebce6ab739f45f300b3829b14688
- SHA512
  
  d16ed644fabcfb87d1f7d699d5049fa9bb77725a7c97703028e0c3a3524148ca6e65020121fe76d9c3878e81a71dd34b192734b8dd3ea9a5673601959bd7f3ef
- SSDEEP
  
  12288:WMr3y90m1At5Sy4Eld/TC4Hxw/vVEHUt7zRrBGTyRR8mzrCyARQwvvmzkLpphVvi:Fyd1ADS2F+FhduJmzCtAkLD/v7BMFuM
Score

10^/10

redline lupa metro discovery evasion infostealer persistence spyware stealer trojan njrat collection
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2