njrat | e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551 | Triage

Sharing

General

Target

5932E512FCA596DE1FA5774A45744D81.exe
Size

1.3MB
Sample

230706-ag51jagc96
MD5

5932e512fca596de1fa5774a45744d81
SHA1

c4d113bdc52299a7747a6583fce8b4e0b84d9b44
SHA256

e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
SHA512

caf150d5fe779167c8f1db3de3ffe0c379d3ca1c4bee3ad95cdae12cdf9323fe4bff8c2b80b3607125fc9b3fa4bd35f4faa0d0669d505c7f3f1533dc139f0204
SSDEEP

24576:b255Z6Cl6D/NkA+oRQkXAhaAOiMmY3DJYv2crSxYu:Gn6Clc1kApRNQvOiMP82cGe

Score

10^/10

njrat xworm lox evasion persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Lox

C2

127.0.0.1:27486

Mutex

Defender.exe

Attributes

reg_key
Defender.exe
splitter
|Ghost|

Extracted

Family

njrat

Version

im523

Botnet

lox

C2

structure-tour.at.ply.gg:27475

Mutex

90e01f40b77fe25a11d52d46dae82c17

Attributes

reg_key
90e01f40b77fe25a11d52d46dae82c17
splitter
|'|'|

Extracted

Family

xworm

C2

programs-scsi.at.ply.gg:27411

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  5932E512FCA596DE1FA5774A45744D81.exe
- Size
  
  1.3MB
- MD5
  
  5932e512fca596de1fa5774a45744d81
- SHA1
  
  c4d113bdc52299a7747a6583fce8b4e0b84d9b44
- SHA256
  
  e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
- SHA512
  
  caf150d5fe779167c8f1db3de3ffe0c379d3ca1c4bee3ad95cdae12cdf9323fe4bff8c2b80b3607125fc9b3fa4bd35f4faa0d0669d505c7f3f1533dc139f0204
- SSDEEP
  
  24576:b255Z6Cl6D/NkA+oRQkXAhaAOiMmY3DJYv2crSxYu:Gn6Clc1kApRNQvOiMP82cGe
Score

10^/10

njrat xworm lox evasion persistence rat trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratxwormloxevasionpersistencerattrojan

behavioral2

njratxwormloxevasionpersistencerattrojan