njrat | 546915e509d4f1c3a8b0f9d415ba3ade1b5095e1f69eef877e64f36203b4da67

Sharing

General

Target

danger.rar
Size

3.2MB
Sample

240107-xms99acgb9
MD5

d63de20d0f8898d0bc46162cbea6044e
SHA1

ae2b4418724df39febc159d9043a1750fee080e7
SHA256

546915e509d4f1c3a8b0f9d415ba3ade1b5095e1f69eef877e64f36203b4da67
SHA512

3cdcd8fcfb0aec0256a0cbc011973fb80cb8644b11229577978200f76a5d9062b2ae4fdb6306272eb9d7c394c08823fa9cee83541885111ffecede4902c80ed6
SSDEEP

98304:ZxgSMKYYiazHxKAU4XwHaYuoyAx6owNSU:ZqIrQAqHUFowNSU

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

tr1.localto.net:39186

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Storge.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

dead-reviewer.gl.at.ply.gg:60161

Mutex

90319c19387bbc36810cf2f727f01c05

Attributes

reg_key
90319c19387bbc36810cf2f727f01c05
splitter
|'|'|

Extracted

Family

vidar

Version

40.4

Botnet

706

https://romkaxarit.tumblr.com/

Attributes

profile_id
706

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

raccoon

Botnet

17ac5bf38b1a6b1d4173afdd8ddb90cf

http://176.113.115.213:80/

Attributes

user_agent
SunShineMoonLight

xor.plain

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

http://dpav.cc/tmp/

http://lrproduct.ru/tmp/

http://kggcp.com/tmp/

http://talesofpirates.net/tmp/

http://pirateking.online/tmp/

http://piratia.pw/tmp/

http://go-piratia.ru/tmp/

rc4.i32

Extracted

Family

stealc

http://91.215.85.189

Attributes

url_path
/43851895e447afd7.php

rc4.plain

Targets

- Target
  
  2door.exe
- Size
  
  167KB
- MD5
  
  e22cb3768b8f1f0bd6a8334fe9480230
- SHA1
  
  8330fbc04aec9f431b7b7e78bb9cc27dadc1d07a
- SHA256
  
  f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d
- SHA512
  
  129e2fa45cbe86d5095e2729a941af32cbfa92f64a4cd301cdc73d7963b8a8b69616f21350efec22b043c127da0411aad13efe3b9277f759e31530bf3dc04d40
- SSDEEP
  
  3072:I70460vVgQa7NLfIMCSBnp8iqXzNY4LHUegh2cp:0Fa7NLfIMCSB2NzSCO5
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Synapse X.exe
- Size
  
  39KB
- MD5
  
  dc4d4769d663fbf00bfe6d0e83f5f0ec
- SHA1
  
  bfb1de87f74d835aef883d131b5f12f7bc2db549
- SHA256
  
  1c4ce5bfffdd71630d23fe0cfbf1217d8b195db9899d2ca53ee1c89b0b25caa1
- SHA512
  
  efae356790fe1dfe557e6709b8f6b541b4cb43844735d9bd866f8f8e579e37342e69258b663cc1c08144c6fd10006b5b7482d6855711b85417ab9281c6286cc2
- SSDEEP
  
  768:0Q46ubAL+1XrjW6vXPcCQgoyfccJY2sJvo80F5Pi9j/k67OMhF3trQ:f46ubHXrjdPcCQzyBJY2cCF497k67OMS
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  XClient.exe
- Size
  
  190KB
- MD5
  
  2d76fcb9deef6e4852632fc9a44ab454
- SHA1
  
  10dcb76c496fea1fc4923cde0d4b021603aba861
- SHA256
  
  d399b506ff21aec0263be59b24c2ef97fa0b220257b4290f836ccbbde2bcc5bd
- SHA512
  
  c3ea002917266b0858b5a3732ac5df8ed016699eb4a058e15fcc2bf658628b601f3003593f49b5197b7d388f66eec04da963935e47a58e359bda8aacdd3748c7
- SSDEEP
  
  3072:asZOqILP2psn3+bjTOdnp0RUGKXs+S++7KFSbxeY+qDDrMP:xUqJUObeGqStKEbxI
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
behavioral3
- Target
  
  fuck you doork.exe
- Size
  
  2.5MB
- MD5
  
  66d13537ed49e50fb83673f7632c0e5e
- SHA1
  
  dc3ac1f47fe9d06e847fcb0ddf26190add45b839
- SHA256
  
  bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
- SHA512
  
  c7047b62d3d8313bd9eec725c310a635f452e57d21b5ae625ef7993620ffc7fbb503ac3dc5b9309fdf47704437a4126d35155f63697761888c36d399baca1064
- SSDEEP
  
  49152:9gFBlMFeWIvkLRoj9xuL5daZ1MzvgQza2Mv14mkE2NHGBF2E8r1TAHzNxy8zX5FT:y3lMTrLujc5wjMzlzbAhr2hGAE8RsHHr
Score

10^/10

nullmixer smokeloader vidar 706 aspackv2 backdoor dropper stealer trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
behavioral4
- Target
  
  raccon.exe
- Size
  
  565KB
- MD5
  
  58471a5a6454e76313cb17ef007358f7
- SHA1
  
  fe7a637e08974fc3ba4a6f86fec924ce31347539
- SHA256
  
  8710679cc4055b4ed025b3be8a9b248a3ca457cf95673b31fcd7865669e49bcf
- SHA512
  
  e82f23cfcf0179c5ca731a676eea950935f52b966990446e53c35587253ef6899891b19652150438341a88c243b0bde4b4efd347485e13d5f86eef4c9c5d1cea
- SSDEEP
  
  6144:ubSe3uM6N1VXaEa2AzTkb0xLWay+B2SlZY2TJEyZwFhbQtFFftG5x6nAg9/t1KHb:SSe3p6NGLBf2SfZYbSFltG58nAnbcc9
Score

10^/10

raccoon 17ac5bf38b1a6b1d4173afdd8ddb90cf stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V2 payload
behavioral5
- Target
  
  smokeloader.exe
- Size
  
  248KB
- MD5
  
  14c45fa75b1f8644c5fe37ca234a456b
- SHA1
  
  056713d15dfa8032597aac2e3f61e6a5794a53e8
- SHA256
  
  ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
- SHA512
  
  b6f212cbb3255c2da4d1935507c5f83833bbeea3b6aca7c0632852db2018dc1a667756b8693a50793cc1ea75296fc13b60eea8c0b645a9e7c901a69a6adbbc21
- SSDEEP
  
  3072:A9orP+stnvfG4+zxvGz/QUVcRe/1nkJuTby/cT2cARxVC09++zu:SoCshG4qx1UVco/1aYySAR+
Score

10^/10

smokeloader pub4 backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
behavioral6
- Target
  
  start.bat
- Size
  
  93KB
- MD5
  
  a2678bbd0eace916ffeb692085da3ce3
- SHA1
  
  4962672978e14a77eddc7992296faa88f68cfc0e
- SHA256
  
  0d1e495ca174082e5f51835d1fab22a9a664e83dd06cbd6670617cbb1c30a456
- SHA512
  
  8f773d8bf5389953d886074f9da65e7114479d05e63f1f60da66db89381e06d5c9e8780d03131d89ffe01c1be5daf5c020fa201ded7048d70c15f9261752d861
- SSDEEP
  
  1536:cuNBNvGfr2p4dTT/hDjEwzGi1dDKDkgS:cuYfr2p4dP/Gi1dkd
Score

10^/10

njrat hacked evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
behavioral7
- Target
  
  stealc.exe
- Size
  
  256KB
- MD5
  
  189736b36bdf727a34cf673e7797823b
- SHA1
  
  a3ea45dd1d9fdbaf19c5197ee6515c78168bc4b9
- SHA256
  
  bb6758a9bce33333cbe3c141c2f7c94077d97cf25c83eb4282cc5ddcaeccc194
- SHA512
  
  4d8c1143a785df75885ef851f88249a5078d436bf3a3e9ac74326df11cd7cea87ccbca5bbe08aaea75cd675a5b00a58ce1e3da4df373f81c765e4bfbce16f141
- SSDEEP
  
  6144:NlL+epunGnKy5a6MlWLuerZDqtJD80VK/o:rvunGnKyyW6eNDqtJDrc
Score

10^/10

stealc stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

SmokeLoader

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detect Xworm Payload

Xworm

NullMixer

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Raccoon

Raccoon Stealer V2 payload

SmokeLoader

Deletes itself

njRAT/Bladabindi

Modifies Windows Firewall

Stealc

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8