njrat | 4f3e4c4534278e7a9f2f9ab171d11d5250caa31a07d3d82eaa13fb13d6a6e347

General

Target

04257366cd7084ddbfa38b5f66f1bf79.bin
Size

1014KB
Sample

230605-lw7nfsfg83
MD5

5c00988102aa0fb486ccecbbcf85cfff
SHA1

a5769cd762f6e087c20ddc04c53599651c10246b
SHA256

4f3e4c4534278e7a9f2f9ab171d11d5250caa31a07d3d82eaa13fb13d6a6e347
SHA512

c45ca2d460782a87ac6d845c72907acafd011d9bbe85d05cb2d7f9936e85e8b0e398eba5439f1a5a2059423038e8252e39f861cee031df54267c2621b02dbad9
SSDEEP

24576:vGY8c8r4oIdO644WBsuQHk+/1R73KF+cgoED8kEoMoFKO:X8UoIQ6ZWe9k+/1RrKF+wJsz9

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19046

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

- Target
  
  df22d21151daa9e2c32fedfaf67ee7b13913f8a650153443dc3d2fbd9d8fa732.exe
- Size
  
  1.0MB
- MD5
  
  04257366cd7084ddbfa38b5f66f1bf79
- SHA1
  
  3de1fa3a071ee9d98aad78b87de4d33acc63b080
- SHA256
  
  df22d21151daa9e2c32fedfaf67ee7b13913f8a650153443dc3d2fbd9d8fa732
- SHA512
  
  8765f248be7fe82afa45a72a0a7a5329c049df63fbb8e927acabc7375746c7344cf5df13e9b3f35812540f7e0b0f737d266e51a67df2978f49c512c0f8c43e8e
- SSDEEP
  
  24576:RytoGWYXoq02QtuOyn/sfBzHRRhzcP2vHdhFrI:ElXt6nJIPKF
Score

10^/10

redline lupa metro discovery evasion infostealer persistence spyware stealer trojan njrat collection
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2