General

  • Target

    737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe

  • Size

    2.3MB

  • Sample

    240421-knglmafc72

  • MD5

    2784277bd68152abf75c6c6d59fab7af

  • SHA1

    e1d047c97e3bdfe273b215b42eccde32ca2ca63f

  • SHA256

    737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc

  • SHA512

    e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c

  • SSDEEP

    49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

0.tcp.eu.ngrok.io:19177

Mutex

62b7d4736043995d94b02f8790cef504

Attributes
  • reg_key

    62b7d4736043995d94b02f8790cef504

  • splitter

    |'|'|

Targets

    • Target

      737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe

    • Size

      2.3MB

    • MD5

      2784277bd68152abf75c6c6d59fab7af

    • SHA1

      e1d047c97e3bdfe273b215b42eccde32ca2ca63f

    • SHA256

      737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc

    • SHA512

      e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c

    • SSDEEP

      49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • AgentTesla payload

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks