njrat | be7f72966ca6ba415bfac32889f448fa5bed9a02632da14f363902ff88fd04c1

General

Target

ahhdaddyServer.exe
Size

37KB
Sample

240415-zkq38afh86
MD5

b7d80717060187f2e147b028db8cb96d
SHA1

45ce47e73a1c1b7eb346cf8300c298236da5053e
SHA256

be7f72966ca6ba415bfac32889f448fa5bed9a02632da14f363902ff88fd04c1
SHA512

c8ad1ec55c9f0557cc96b739296a2544d2174f6acf33980777e0f7e953443078a6f3a9acfd43e19b0dbf1d16c473a1b306a42d9baf4a88073fc73c6bdc8212a9
SSDEEP

384:zE/IiuRjtD+P3V+y0b76netHx0sAbOHZrAF+rMRTyN/0L+EcoinblneHQM3epzXj:IemV10b76netStO5rM+rMRa8NuZFt

Score

10^/10

njrat i am furry owo evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

OwO

C2

artist-composed.gl.at.ply.gg:28632

Mutex

37f622693e6086826fd92b3e7e508134

Attributes

reg_key
37f622693e6086826fd92b3e7e508134
splitter
|'|'|

Extracted

Family

njrat

Version

im523

Botnet

I am Furry

C2

green-morrison.gl.at.ply.gg:17455

Mutex

e14109296e01cf24bb9b7f72f64c4cb3

Attributes

reg_key
e14109296e01cf24bb9b7f72f64c4cb3
splitter
|'|'|

Targets

- Target
  
  ahhdaddyServer.exe
- Size
  
  37KB
- MD5
  
  b7d80717060187f2e147b028db8cb96d
- SHA1
  
  45ce47e73a1c1b7eb346cf8300c298236da5053e
- SHA256
  
  be7f72966ca6ba415bfac32889f448fa5bed9a02632da14f363902ff88fd04c1
- SHA512
  
  c8ad1ec55c9f0557cc96b739296a2544d2174f6acf33980777e0f7e953443078a6f3a9acfd43e19b0dbf1d16c473a1b306a42d9baf4a88073fc73c6bdc8212a9
- SSDEEP
  
  384:zE/IiuRjtD+P3V+y0b76netHx0sAbOHZrAF+rMRTyN/0L+EcoinblneHQM3epzXj:IemV10b76netStO5rM+rMRa8NuZFt
Score

10^/10

njrat i am furry owo evasion persistence trojan ransomware spyware stealer upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2