njrat | ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82 | Triage

Resubmissions

09-01-2024 14:58

240109-scl1zaebd2 10

Sharing

General

Target

MonkeModManager.exe
Size

146KB
Sample

240109-scl1zaebd2
MD5

81933ce5ca9beb8efb6c431bc6505361
SHA1

7f88cc2b8e40a2f485f9062fc8bba4ac2793c20a
SHA256

ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82
SHA512

debad62cb7928bafc1aebf84933fe64afe7dfea06ef01588509ec7b4283a4a07eed584f40e28e40c626295c3b357b469397a664e65b90cf04d530531daddd4a8
SSDEEP

1536:z3rY49c1TiyDZESAkt4+UM3upJ7ak5C3kIJfmGY9lToGI7J3z+InbSPqZuBsv032:brYlEkXb+pJWkjbI936aSPqZuE090

Score

10^/10

njrat remcos hacked host evasion persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

dead-reviewer.gl.at.ply.gg:60161

Mutex

90319c19387bbc36810cf2f727f01c05

Attributes

reg_key
90319c19387bbc36810cf2f727f01c05
splitter
|'|'|

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

shall-someone.gl.at.ply.gg:60408

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
vindevs
keylog_path
%AppData%
mouse_option
false
mutex
remcos_kixjmsbwpikjkoa
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
60
startup_value
Dlscord
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  MonkeModManager.exe
- Size
  
  146KB
- MD5
  
  81933ce5ca9beb8efb6c431bc6505361
- SHA1
  
  7f88cc2b8e40a2f485f9062fc8bba4ac2793c20a
- SHA256
  
  ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82
- SHA512
  
  debad62cb7928bafc1aebf84933fe64afe7dfea06ef01588509ec7b4283a4a07eed584f40e28e40c626295c3b357b469397a664e65b90cf04d530531daddd4a8
- SSDEEP
  
  1536:z3rY49c1TiyDZESAkt4+UM3upJ7ak5C3kIJfmGY9lToGI7J3z+InbSPqZuBsv032:brYlEkXb+pJWkjbI936aSPqZuE090
Score

10^/10

njrat remcos hacked host evasion persistence rat trojan
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Adds policy Run key to start application
  persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratremcoshackedhostevasionpersistencerattrojan

behavioral2

njratremcoshackedhostevasionrattrojan