njrat | ffe78ab905d69421ab325f5f6fa0e1448a01245538d1f275abaa645e44fb0cb5

General

Target

я хз.exe
Size

60.0MB
Sample

240316-y8akpsbe2v
MD5

5d6cfc446688ff35118f60f1c0c6d9ec
SHA1

c38cc9315d6212dbf9a2b0121bedf8e19e4489c9
SHA256

ffe78ab905d69421ab325f5f6fa0e1448a01245538d1f275abaa645e44fb0cb5
SHA512

2d48eb58d9d145171efe3e98782bf1a8fbd28b2b7fb3b038172a8b36016bf318a9fb0f8e2729f3023a99ad2e3a05225030e18614792818046705531dcbcad199
SSDEEP

49152:qn5mOaNuKQGr02wVAFJApbVY6e7D5jD9KVSxU03l8U+cweXeFrA1n:q5mlkK1Dqne7D5jD9KVSxU8g9A

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1218609538920353852/S1ojkdaVMzB73hU0FP8eYpB-410O6wodDINDM_pIeYL7IbxP-7KaqYh-SCI37JJ02Eb_

https://discord.com/api/webhooks/1218255752314097764/pf1l_fyX4Y944q-tMNsmbSq2cfDBpqCBXuTvF0vyF76tkTcn3FOYasjrq_iM6NffJOYF

Extracted

Family

xworm

C2

approved-supports.gl.at.ply.gg:45098

Attributes

Install_directory
%AppData%
install_file
rat.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

6.tcp.eu.ngrok.io:11599

Mutex

56b4ba924dd7632c1dcce848fbc8f14a

Attributes

reg_key
56b4ba924dd7632c1dcce848fbc8f14a
splitter
|'|'|

Targets

- Target
  
  я хз.exe
- Size
  
  60.0MB
- MD5
  
  5d6cfc446688ff35118f60f1c0c6d9ec
- SHA1
  
  c38cc9315d6212dbf9a2b0121bedf8e19e4489c9
- SHA256
  
  ffe78ab905d69421ab325f5f6fa0e1448a01245538d1f275abaa645e44fb0cb5
- SHA512
  
  2d48eb58d9d145171efe3e98782bf1a8fbd28b2b7fb3b038172a8b36016bf318a9fb0f8e2729f3023a99ad2e3a05225030e18614792818046705531dcbcad199
- SSDEEP
  
  49152:qn5mOaNuKQGr02wVAFJApbVY6e7D5jD9KVSxU03l8U+cweXeFrA1n:q5mlkK1Dqne7D5jD9KVSxU8g9A
Score

10^/10

njrat umbral xworm hacked evasion persistence rat stealer trojan zgrat spyware
- Detect Umbral payload
- Detect Xworm Payload
- Detect ZGRat V1
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2