Overview

overview

10

Static

static

10

KiwiX(vira)/Exec.dll

windows7-x64

1

KiwiX(vira)/Exec.dll

windows10-2004-x64

1

KiwiX(vira)/Inj.dll

windows7-x64

1

KiwiX(vira)/Inj.dll

windows10-2004-x64

1

KiwiX(vira)/Inj.exe

windows7-x64

8

KiwiX(vira)/Inj.exe

windows10-2004-x64

10

KiwiX(vira...ey.dll

windows7-x64

1

KiwiX(vira...ey.dll

windows10-2004-x64

1

KiwiX(vira)/KiwPG.dll

windows7-x64

1

KiwiX(vira)/KiwPG.dll

windows10-2004-x64

1

KiwiX(vira)/KiwiX.exe

windows7-x64

7

KiwiX(vira)/KiwiX.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KiwiXV4.zip

  • Size

    10.0MB

  • Sample

    240313-he498agh46

  • MD5

    3a46a2a92ccf023b0149d791bc79899c

  • SHA1

    9844fe4ae19c282635b2c5cfc7106b42ff9a7146

  • SHA256

    014984b4b81ac3aee22523fc6a79030159f63a0f79ba6028dde7dd8795b1c325

  • SHA512

    533b927c8ed9d3ab85bb1b23df5302cdadb73fce6d0b8a9144e1a12aac6a38be1d72df335c66132d8fe73b4dfeb4a2826077a4c7ab44a0ba9f2c68941e444401

  • SSDEEP

    196608:Jpq1YworjyoToZAe+UhBa68CTPmGYla/E6QzfNhg5pyqf6BgAJB:/RworjLv/Uhs68kmGYWQfj2f8nB

Score
10/10
njratumbralhackedevasionpersistencestealertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

having-jackson.gl.at.ply.gg:56522

Mutex

7c148ac38012fc3caa04b1bbe75feba0

Attributes
  • reg_key

    7c148ac38012fc3caa04b1bbe75feba0

  • splitter

    |'|'|

Targets

    • Target

      KiwiX(vira)/Exec.dll

    • Size

      6.9MB

    • MD5

      1ed364cd6081f058fd52545e65f31fcd

    • SHA1

      d3cb3660b497d0a6c2e75bd7e679fee3641272fe

    • SHA256

      43830608991e3480dbd8cea33f7a968a388497df1bf2fe61d00ad60627231cbf

    • SHA512

      6f79120e4976dc9a659008535a86f691c511eac9da8919617591a3ae595ba25879f9e3ba455ea8cbfe479d35bb7405264ebdfd599aeb518d9f4861fe4d69bdbd

    • SSDEEP

      98304:du+mrLHJQOsgrMWnbLe9u/t8MmWOv/enGJGp8bHSpC24Gqdi:AdrLHJQhgrMWbq9VMmWGmnQGpvpZ43i

    Score
    1/10
    behavioral1behavioral2

    • Target

      KiwiX(vira)/Inj.dll

    • Size

      6.9MB

    • MD5

      1ed364cd6081f058fd52545e65f31fcd

    • SHA1

      d3cb3660b497d0a6c2e75bd7e679fee3641272fe

    • SHA256

      43830608991e3480dbd8cea33f7a968a388497df1bf2fe61d00ad60627231cbf

    • SHA512

      6f79120e4976dc9a659008535a86f691c511eac9da8919617591a3ae595ba25879f9e3ba455ea8cbfe479d35bb7405264ebdfd599aeb518d9f4861fe4d69bdbd

    • SSDEEP

      98304:du+mrLHJQOsgrMWnbLe9u/t8MmWOv/enGJGp8bHSpC24Gqdi:AdrLHJQhgrMWbq9VMmWGmnQGpvpZ43i

    Score
    1/10
    behavioral3behavioral4

    • Target

      KiwiX(vira)/Inj.exe

    • Size

      37KB

    • MD5

      46575abc24c74bb039259908b0231c95

    • SHA1

      17dc60529ec69d46ce60ca45c6f6396e3462960c

    • SHA256

      443a8d301e9bcda70076375978a3d32a9a1c9552bf84aa9cbdd68635a07cdeda

    • SHA512

      89c234a4889817b665eaf61beb562b35a2bd269ed2d54dab6dc430cb3ab1a121e3a399046516050f442e25e35c4e14915ddf6aa983d4c1011b36749b5f8fb550

    • SSDEEP

      384:NA8syikT2zIuMXY1uyZD7jKuo3HCsmY3NrAF+rMRTyN/0L+EcoinblneHQM3epzp:+yY1lN7uuoSNY9rM+rMRa8NuBy8t

    Score
    10/10
    evasionpersistenceumbralstealertrojan

    • Detect Umbral payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies firewall policy service

      evasion

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      KiwiX(vira)/KiwKey.dll

    • Size

      887KB

    • MD5

      48a99c593b8e4931af863a17fc5cee90

    • SHA1

      e0adf9ca63e6fdd1e8ba52fb0e5f6b2c58608cb1

    • SHA256

      4bdc6e738177e2f1cb2ec0441389d8120f37dcb2f52bec8431ba5092ae5edfe2

    • SHA512

      f7fd460c37f9d3d218f523a51ccc8679af23874440fca8df8a870ab7263566abd5e629bb3df3ed4ac4266991ba5b5ff0fab85226c2a0cad6cd51dbcca1e54102

    • SSDEEP

      6144:vJiKordQ6ighEmIBVrRyINZAii+UU8XFgEBFkrSbUKkF0egDIBJqGqILcQ8Wzdzs:vHB8GISnkjiLSRHF3BTwJ/SQItaV2

    Score
    1/10
    behavioral7behavioral8

    • Target

      KiwiX(vira)/KiwPG.dll

    • Size

      892KB

    • MD5

      6757f7fc7460bf7cd8b6287cc562adce

    • SHA1

      f4a673730a73e72bf4c43326f5857dd3ab60dee9

    • SHA256

      c9e19ab184323bc35bf750ca4e292e01ab4800a6f278d9d07041024c78ed7878

    • SHA512

      de1c3802f6b6768d6079d82a27cde64266a3c6fc13aa7556575eb586c4dff51c1b48af559d617e61b4b888a491b0724242836a5779026c66d0672dcf72cb5c8c

    • SSDEEP

      12288:AQKjC6UfHlf8VETpBeK/wlOEUyeNNUcjpbuOA0hLdM0Kdf3YkwwdBCWUQHCP9:Km6UdfGN8EUxtpCOLI0Kd/YkZCWUQc

    Score
    1/10
    behavioral10behavioral9

    • Target

      KiwiX(vira)/KiwiX.exe

    • Size

      3.8MB

    • MD5

      b367ab5cb8286aa0d4c3aeaa7204ad2f

    • SHA1

      c5a2e63e604acd90226cb78a9de194e5ccacda0e

    • SHA256

      c7e54e2ee5dc91af44b68090111569deed21397957f9335b392dd288ec40686e

    • SHA512

      9054dfd48cc27670104ae004efcaf9960afad3dbb8b3d2d47c2d3a7e4731edb8b567f96d852a5d2f368063eb5caff537578837e78ab4dcacea669224ecce9a87

    • SSDEEP

      98304:RGB/h1uN3eETMNo0uHX/EmB2ot+YUiGuZfaWp:RG4N3eETMNoyo+Y8uZftp

    Score
    7/10

    • Loads dropped DLL

    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Tasks