General

  • Target

    deploy.exe

  • Size

    63KB

  • Sample

    231023-sk54tabd38

  • MD5

    6f92c594e253457f848f01bac27814d5

  • SHA1

    9d29ff1372582e71bfcf37b9eba3063cc7febc08

  • SHA256

    1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a

  • SHA512

    30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c

  • SSDEEP

    768:Rd5nVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9ASuAdpqKYhg:ZnSdsNdSJYUbdh99HuAdpqKmY7

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Mutex

H伊8jWaCωdcΓP8吾קtרXovNF3

Attributes
  • delay

    1

  • install

    true

  • install_file

    daemon.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/L7WhRmt9

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

146.19.230.52:4456

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      deploy.exe

    • Size

      63KB

    • MD5

      6f92c594e253457f848f01bac27814d5

    • SHA1

      9d29ff1372582e71bfcf37b9eba3063cc7febc08

    • SHA256

      1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a

    • SHA512

      30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c

    • SSDEEP

      768:Rd5nVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9ASuAdpqKYhg:ZnSdsNdSJYUbdh99HuAdpqKmY7

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks