Overview

overview

10

Static

static

3

ImmortaL/Launcher.exe

windows10-2004-x64

1

ImmortaL/W...me.dll

windows10-2004-x64

1

ImmortaL/l...al.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ImmortaLFort.rar

  • Size

    11.5MB

  • Sample

    240419-1r13fage59

  • MD5

    0e7c7aa36ec5edf8a42cd9ca5b68bd06

  • SHA1

    457c6d05f7289ab90590d9ec3fc84b6b2f0a97a6

  • SHA256

    f51422da0c91f9c2dcd1e87e61f0a59f64cd71915a006fd83f67be96e8cd31a5

  • SHA512

    e265e7f7ba57d90ff24c06af66e769cc2ed1c894f9aad05e75aae7d2281f672da3966950f016a6124eac12d903df0b0d7562cd8f151b9e8f334b2760f451444b

  • SSDEEP

    196608:iZ6TK8TtLDMZ9w0Ls+xpTtRg5zEFhsk1T9urdYE7tRPYA+tzNY2hixKXl/4lxk:iZ6tTtLDA7xpT5hv+RkpAK1/4bk

Score
10/10
njratmrsvch0stpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

MrSvch0st

C2

127.0.0.1:1337

Mutex

notpad.exe

Attributes
  • reg_key

    notpad.exe

  • splitter

    |Ghost|

Targets

    • Target

      ImmortaL/Launcher.exe

    • Size

      19.9MB

    • MD5

      9319baa845014b9b1b19c74d71b3102f

    • SHA1

      abd3a8d4b66c8ae234c3c364418c7f36496971c3

    • SHA256

      b5b06a1fc40c1f61198aec7becfcd62a0d3da7a19e48166b8f8e98840a2ca7fe

    • SHA512

      2619a014ae87c5942f5c672981cc7121650057c2f6e0be74426942eebf6f54d457b6f5860e9fedb83ab3257e466a4b0ad7ed4671867f8b5f46a8de91793eb45f

    • SSDEEP

      393216:QsJU/P2y1sMts1jn0xnJ6A0C2jQ1riHfqXAU6S:QsJU/uB1jn0xnJ50C2M1eUT

    Score
    1/10
    behavioral1

    • Target

      ImmortaL/WinRT.Runtime.dll

    • Size

      389KB

    • MD5

      0966745c6b954e7bbd15459756a106c6

    • SHA1

      f6efa62a95b4f40c84341ed58c1d3c8d5af2111d

    • SHA256

      4977a1e6dcee4c3310a68e20f2879cf39b95255e29f3fd7557781e058445cb9b

    • SHA512

      ab8a07fdf72315ffaa49271faca6d0d6523b3480d53fd6f5225fdfcb41ee099e3b401872a684016ed02d347b48eae3467185b6e9dcd16994c0b7e3c562e9a047

    • SSDEEP

      6144:WlOYSCIkSjwAF56b5uuXzAOJPvcFVloAFJpR0krlFo/UkjYPqNHav96iTtq7CYm:WQvCZoKN/DelFo/tNHav96iTtq5m

    Score
    1/10
    behavioral2

    • Target

      ImmortaL/launcherimortal.exe

    • Size

      8.0MB

    • MD5

      27e834cd6f7f5f0d56a8c1f50d7c8ec9

    • SHA1

      edb4639e5b684ecc1a0d0b5676a890a58656c6e8

    • SHA256

      850be50676a9696f263611dfce1c11fea0c3cf211fef0b9f9fccadf500135435

    • SHA512

      3a99d21b87ad47801ee8fb81b90570daaac4d0f771963dab0c7f1b9e848e05b89a57b4c7e90d8753dc56cefcef4f5f8a122c12b1f51cfbb950e848f408b74087

    • SSDEEP

      49152:RTWfqjVmnGoZCIKmqeinNEn3JKaBZfeYy9VwjwXzl4V4Tu0sYDcXYTWfMsoPRfjd:KxHnaeiQ7BZG39

    Score
    10/10
    njratmrsvch0stpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks