empyrean | 15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff | Triage

Submit
Reports

Overview

overview

Static

static

15963fa208...ff.exe

windows7-x64

15963fa208...ff.exe

windows10-2004-x64

7

Sharing

General

Target

15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff
Size

31.4MB
Sample

240303-bsl78sba4x
MD5

eaffb1a1f6fc1fc1c01cc73c3fdf0cb2
SHA1

6bc085e9b71cd8a79688f28547df8c1cde97ef2c
SHA256

15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff
SHA512

69ca049498c75b683312faabcbfceb9c68af4a248c43284039e5b75e97141aba9929882ff5ef28c64dff801aef3c13297284f584853b756ba8a09bd1b18d2e2c
SSDEEP

393216:j51YNP9rbT01YNP9rbTetel5qPnLFXlckK9QM8nAB3Q0GF9g9Jh6vEo56OmNm:j5grsgrWIlwPLFXTK9Q1kAZubTB8

Score

10^/10

empyrean njrat lime persistence pyinstaller trojan upx

Static task

static1

pyinstaller njrat empyrean

5 signatures

Behavioral task

behavioral1

Sample

15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff.exe

Resource

win7-20240221-en

njrat lime persistence pyinstaller trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff.exe

Resource

win10v2004-20240226-en

persistence pyinstaller upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

219.254.199.13:6522

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
KartRider

Targets

- Target
  
  15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff
- Size
  
  31.4MB
- MD5
  
  eaffb1a1f6fc1fc1c01cc73c3fdf0cb2
- SHA1
  
  6bc085e9b71cd8a79688f28547df8c1cde97ef2c
- SHA256
  
  15963fa2085ea360f528506bd5f515d2f61bb0c456e6ca91ea814de62039ceff
- SHA512
  
  69ca049498c75b683312faabcbfceb9c68af4a248c43284039e5b75e97141aba9929882ff5ef28c64dff801aef3c13297284f584853b756ba8a09bd1b18d2e2c
- SSDEEP
  
  393216:j51YNP9rbT01YNP9rbTetel5qPnLFXlckK9QM8nAB3Q0GF9g9Jh6vEo56OmNm:j5grsgrWIlwPLFXTK9Q1kAZubTB8
Score

10^/10

njrat lime persistence pyinstaller trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

pyinstallernjratempyrean

behavioral1

njratlimepersistencepyinstallertrojanupx

behavioral2

persistencepyinstallerupx

© 2018-2024

Terms | Privacy