njrat | c4edeb1befa9d2125c24938dfa1ac106d35f6992793a5ebc8c2b09ec38777ca8 | Triage

Sharing

General

Target

1fb97ee37a2c5a979bc4dff4613f9fb2.exe
Size

93KB
Sample

230823-w93a1agd2v
MD5

1fb97ee37a2c5a979bc4dff4613f9fb2
SHA1

13679e8eb6e8995bfda6590f3dd04c6d99104b67
SHA256

c4edeb1befa9d2125c24938dfa1ac106d35f6992793a5ebc8c2b09ec38777ca8
SHA512

913f3b430ea169ae91079a65982b15b913c89ee9eb43eb15a09bb44f052e27597e598017b1c3cc47b2633e8ef9c9b5f056e447beb5b61f3453e2280c0c52a727
SSDEEP

1536:ghnR8lZc+/2HK1j+58dljEwzGi1dDUDPgS:ghnKc+/2HK1a8dSi1dyo

Score

10^/10

njrat лошок evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Лошок

C2

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:19914

Mutex

af200c2dc24146f167c6cde4523f107f

Attributes

reg_key
af200c2dc24146f167c6cde4523f107f
splitter
|'|'|

Targets

- Target
  
  1fb97ee37a2c5a979bc4dff4613f9fb2.exe
- Size
  
  93KB
- MD5
  
  1fb97ee37a2c5a979bc4dff4613f9fb2
- SHA1
  
  13679e8eb6e8995bfda6590f3dd04c6d99104b67
- SHA256
  
  c4edeb1befa9d2125c24938dfa1ac106d35f6992793a5ebc8c2b09ec38777ca8
- SHA512
  
  913f3b430ea169ae91079a65982b15b913c89ee9eb43eb15a09bb44f052e27597e598017b1c3cc47b2633e8ef9c9b5f056e447beb5b61f3453e2280c0c52a727
- SSDEEP
  
  1536:ghnR8lZc+/2HK1j+58dljEwzGi1dDUDPgS:ghnKc+/2HK1a8dSi1dyo
Score

8^/10

evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

лошокnjrat

behavioral1

behavioral2