njrat | d148ea5e4ded7cc817182e92711e41e3840db9c1d8fa5656d5e235bb4a696d85 | Triage

Sharing

General

Target

1fb97ee37a2c5a979bc4dff4613f9fb2_JC.bin
Size

34KB
Sample

230901-xdgvvsgg3v
MD5

9cefaf68e6e473ead1a177f9632bcb23
SHA1

91ca795eaf0110fa055a140b082820057d39131a
SHA256

d148ea5e4ded7cc817182e92711e41e3840db9c1d8fa5656d5e235bb4a696d85
SHA512

5b20ebd872f82202374b15ce1094c55111e8dd4e64e39b2ae5d5881de66df6d917c29783aa64df75479ad6380465677a29cc9f306d110f86c9d89427f5f44c90
SSDEEP

768:D5S+6saBt5Ub7fFw9AEPRBLKnHPIgOXmncUys2Ojo:E+87ammE5BiPF7cAxjo

Score

10^/10

njrat лошок evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Лошок

C2

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:19914

Mutex

af200c2dc24146f167c6cde4523f107f

Attributes

reg_key
af200c2dc24146f167c6cde4523f107f
splitter
|'|'|

Targets

- Target
  
  c4edeb1befa9d2125c24938dfa1ac106d35f6992793a5ebc8c2b09ec38777ca8.exe
- Size
  
  93KB
- MD5
  
  1fb97ee37a2c5a979bc4dff4613f9fb2
- SHA1
  
  13679e8eb6e8995bfda6590f3dd04c6d99104b67
- SHA256
  
  c4edeb1befa9d2125c24938dfa1ac106d35f6992793a5ebc8c2b09ec38777ca8
- SHA512
  
  913f3b430ea169ae91079a65982b15b913c89ee9eb43eb15a09bb44f052e27597e598017b1c3cc47b2633e8ef9c9b5f056e447beb5b61f3453e2280c0c52a727
- SSDEEP
  
  1536:ghnR8lZc+/2HK1j+58dljEwzGi1dDUDPgS:ghnKc+/2HK1a8dSi1dyo
Score

8^/10

evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

лошокnjrat

behavioral1

behavioral2