General
-
Target
DcRat.7z
-
Size
24.7MB
-
Sample
230806-fsj54ahd2v
-
MD5
b4b4a610df1a6e5d7b4a7771398ba3c7
-
SHA1
a3ae8d7a63329a98578a5c373d4fef31e836c118
-
SHA256
b157421990f8a723d92fb176febc0531756fb589884d40d0bfba466d6a0b0c23
-
SHA512
e5216d7823b2d74a4681122528e40c6455c563bd547aa709ae33f46fbf2feae03579328286137b970e13e6b6dd11afec8ed5b2b855eac09d46e8ad02aa8a5392
-
SSDEEP
786432:kVhB5l8v+kurxLNBnqekxXKTXM/fuHqUz:wD5mTmxLNoekx6sBw
Malware Config
Extracted
njrat
0.7d
NJCRYPT
windowsupdateservice.mypi.co:8768
2484db5a2c13348cb68085177e842817
-
reg_key
2484db5a2c13348cb68085177e842817
-
splitter
|'|'|
Extracted
njrat
0.7NC
NYAN CAT
ofi.dyn.ydns.io:5553
f988fca3984c4c
-
reg_key
f988fca3984c4c
-
splitter
@!#&^%$
Targets
-
-
Target
DcRat.7z
-
Size
24.7MB
-
MD5
b4b4a610df1a6e5d7b4a7771398ba3c7
-
SHA1
a3ae8d7a63329a98578a5c373d4fef31e836c118
-
SHA256
b157421990f8a723d92fb176febc0531756fb589884d40d0bfba466d6a0b0c23
-
SHA512
e5216d7823b2d74a4681122528e40c6455c563bd547aa709ae33f46fbf2feae03579328286137b970e13e6b6dd11afec8ed5b2b855eac09d46e8ad02aa8a5392
-
SSDEEP
786432:kVhB5l8v+kurxLNBnqekxXKTXM/fuHqUz:wD5mTmxLNoekx6sBw
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Async RAT payload
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1