Overview

overview

10

Static

static

3

NjRat 0.7D...on.rar

windows7-x64

10

NjRat 0.7D...on.rar

windows10-1703-x64

3

NjRat 0.7D...on.rar

windows10-2004-x64

10

NjRat 0.7D...on.rar

windows11-21h2-x64

3

Analysis

  • max time kernel
    41s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NjRat 0.7D Horror Edition.rar

  • Size

    18.9MB

  • MD5

    3722a5d14e004bb1e90d0e850366e1ec

  • SHA1

    a98916f7add8e783d6646d37680651ca4412220c

  • SHA256

    a36807ff99bde01f1d887e6f73d92b1c21a2049726a7d7555845e8f8639c05c1

  • SHA512

    7caac7e5a40f88f6757b8beae3c35b1db536008224f9bd15bb67f45521c95c35b3e400a2c828e70a8caaf0d3e90357f5c38ff535b439958bc9eee2d809549724

  • SSDEEP

    393216:Bo88DkvZ+wNiWtRReJJB4PWjoNkcZ/aeeV97uVrr0mf26YiPqDKT9:BoVDYiQRRet46UC2fnYEqs9

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

html-nl.gl.at.ply.gg:38534

Mutex

cyG6dP3JpX7QpOYW

Attributes
  • Install_directory

    %Temp%

  • install_file

    XWorm V5.2.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Horror Edition.rar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Horror Edition.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2760
  • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition.exe
    "C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Users\Admin\AppData\Roaming\NjRat 0.7D Horror Edition.exe
      "C:\Users\Admin\AppData\Roaming\NjRat 0.7D Horror Edition.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 824
        3⤵
          PID:596
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1972
    • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition.exe
      "C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
      • C:\Users\Admin\AppData\Roaming\NjRat 0.7D Horror Edition.exe
        "C:\Users\Admin\AppData\Roaming\NjRat 0.7D Horror Edition.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
          dw20.exe -x -s 828
          3⤵
            PID:1248
      • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition (2).exe
        "C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition (2).exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
          dw20.exe -x -s 212
          2⤵
            PID:2700
        • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition (2).exe
          "C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition (2).exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            dw20.exe -x -s 1172
            2⤵
              PID:2840

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\NjRat 0.7D Horror Edition.exe
            Filesize

            15.4MB

            MD5

            0b8196e6cdd002fa10bfd50843b6b172

            SHA1

            2808af92f2136c2dcf06c8bc06dfa3c994dede32

            SHA256

            0b96fadaed63004ab89c43e790100bf0ac03aae66a10239263ae64a9f01819a8

            SHA512

            69c4c2fd64d6886c11eb797a6829e315faffcc0095a884215753632e544727f655838fc34c2a8183179d8db2fdb63183fe0f3b69b9526d5c1fc857ba23b8ea69

            Download Submit

          • C:\Users\Admin\AppData\Roaming\XClient.exe
            Filesize

            66KB

            MD5

            0ee1db9797bf41800cfc7c502a52d1ea

            SHA1

            412c0525c66b6a0ebfad4519d81e9b397747ddb5

            SHA256

            ae6416d4bfcf5d1bb5c9f4ec0851d9e6464369be50c459f12cfbd615ae59aad8

            SHA512

            f7c6ab86bb21b77fdad832e09f037f2e9245b920f2edbc40857567c36bbccd3863d8a5b66f3e3b4286284741ac1e93d25a06d0f264e2e0b2f6c28f9eb0e9b213

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\GeoIP.dat
            Filesize

            1.1MB

            MD5

            a0a228c187329ad148f33c81ddb430bb

            SHA1

            d70ec83d1b15b3156df73802dd1bec024b1b9346

            SHA256

            b4bfd1ebc50f0eaab3d3f4c2152feae7aa8efad380b85064153a6bfd006c6210

            SHA512

            0fe0a62c07f7ade0e6bfac8843c13c055369177935d801488a993bc4bcdb9da220ba1b37df2027dab8af7c15e5cf00b3e8f223b12165d8a1b0b9c30dc9939332

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\NjRat 0.7D Horror Edition.exe
            Filesize

            15.5MB

            MD5

            23f3ea9746e052a4ea7a08b955575730

            SHA1

            be368be9931d2bc6f21da8c0064435f9aaca08d9

            SHA256

            9822384adf44368d8f2a42db17f76ab19c9e5ebdbe35bf65e22b3fcf7362f774

            SHA512

            c80fc29163cd17512b9e14979eec50ea14223c0aa5081ba5f6b69e825d683c32d1e1c995d9b8c38bf5a96e441393aee47592af7856c251ae25c85d9ddae35861

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\WinMM.Net.dll
            Filesize

            43KB

            MD5

            d4b80052c7b4093e10ce1f40ce74f707

            SHA1

            2494a38f1c0d3a0aa9b31cf0650337cacc655697

            SHA256

            59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46

            SHA512

            3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\cam.dll
            Filesize

            99KB

            MD5

            8ce3060686462fc72ece2701caa13e3b

            SHA1

            19fc9892200de4db332ddd0c14b4b6fd9a35ccd4

            SHA256

            881d5afb9aa4799c73e75dcd28587dba85dd844e4137287ea48c6b66525e2638

            SHA512

            ef38e00b054240a0d4747bfd79db860015ed027735c360de58af6889a69482109ccf74770608a2750542457ac38aa79367431ff6ca77fae44d7e3a7023f33a17

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\ch.dll
            Filesize

            44KB

            MD5

            11fde8a47647c3bc98d57f3a9f3a97a3

            SHA1

            e813c17973e77b7aa22b9f539c3c97c624acafb1

            SHA256

            7032cb496f866ec1c9304f2c3cd8859472168838a11aba1571f51875a75074af

            SHA512

            1401f40569db7679014ab282477a5560b3bc6f51284e501e0e878881522db102b448566bae50ab6c1027a196de410a9ac8770dfa2208d14e5dfcc3c05e766763

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\fun.dll
            Filesize

            8KB

            MD5

            ddce53e6a021aa8e146d9fce35e97e53

            SHA1

            7a4c69888e821e1d775c899ec5b3fdab267c7fbd

            SHA256

            57b66a81716e1737e5b8ecff2c269f00e2ca6ffbff88960e973c02f5800037cc

            SHA512

            a644892e51a5f09b35b3a89fee6031eeb92eb3ed5e5d05b8e06a96f0348305366f211ee959f94aaedb6f0c59608e49a1c2efb157f09cf520c43fe5455abfee15

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\mic.dll
            Filesize

            77KB

            MD5

            9b376f0d44995ca15d43f7943a602fb2

            SHA1

            18a2bb7d13836256bd5f39089203f18d740669d5

            SHA256

            27528a77e27d02aadecabfdf658b2da638bb0ca2f2c60bdd9d0fd5338c1fc346

            SHA512

            4dfb0c49816e0d0c2f7d0d76081725bd48d3713506ec51ac6c06ae7092908d14e3683d707d6f332505163fb0ade0ee6b50a355cd69c25725e829ebb23a3e93b2

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\plg.dll
            Filesize

            65KB

            MD5

            c179e212316f26ce9325a8d80d936666

            SHA1

            14d08b3cda60341d1e9187fc14bd64ebefe4a5b6

            SHA256

            13043521ed6876edf2736fc46a7c49e6b639cfa7a866ca11de26f119796cd521

            SHA512

            1b5eb687a9932c82ab2e655dbc5df8ba667a023e7568dbbd13c503a54661763193bde11937f87e2e09b88d770c8357eda07589d526e6103db058038e3ce3b750

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\pw.dll
            Filesize

            284KB

            MD5

            ac43720c43dcf90b2d57d746464ad574

            SHA1

            eae39df1c717ca74f6f04d5ca8478ea55145535a

            SHA256

            ca6367d1ab873a55ced13d7024c530bbe4a6a703813225233e59041c7ce14eaa

            SHA512

            9082b3cd8b36031256923c8f2bed628e9331129bbf09d111d9d02268a49e493248e5638ddee5b02da66e9159a608f8f26499ca0f736d6a369a30f71950c60d40

            Download Submit

          • C:\Users\Admin\Desktop\NjRat 0.7D Horror Edition\plugin\sc2.dll
            Filesize

            46KB

            MD5

            2d65bc3bff4a5d31b59f5bdf6e6311d7

            SHA1

            43962fbeb93fc267fb1c7036a12b8c5d6f40c28a

            SHA256

            010b1ec566be774a2d12146f9826aa31fd7eb6ffe7b45ce5e572b2d8c7f815c3

            SHA512

            b210d447cc9b4b89402a2a1d3d5e9cfe13ae897c47094be4110ed3aac109152c8a45ec138f73b703e7d3799934234cba4ca3f2439b3dd193a4cec671b9edaa6a

            Download Submit

          • memory/596-156-0x0000000000470000-0x0000000000471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1160-170-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1160-183-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1248-182-0x0000000000460000-0x0000000000461000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1952-185-0x000000001B1A0000-0x000000001B220000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1952-143-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1952-144-0x00000000003B0000-0x00000000003C8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1952-162-0x000000001B1A0000-0x000000001B220000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1952-169-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1972-164-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/1972-187-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/1972-188-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/1972-163-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/1972-184-0x00000000024A0000-0x00000000024B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2052-154-0x0000000000AF0000-0x0000000000B70000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2052-151-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2052-153-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2052-152-0x0000000000AF0000-0x0000000000B70000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2052-157-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2052-155-0x0000000000AF0000-0x0000000000B70000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2092-181-0x0000000002EF0000-0x0000000002F70000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2092-186-0x000007FEEEC00000-0x000007FEEF59D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2092-179-0x0000000002EF0000-0x0000000002F70000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2092-178-0x000007FEEEC00000-0x000007FEEF59D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2092-177-0x0000000002EF0000-0x0000000002F70000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2092-176-0x000007FEEEC00000-0x000007FEEF59D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2116-209-0x000007FEEEC00000-0x000007FEEF59D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2116-211-0x000007FEEEC00000-0x000007FEEF59D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2116-210-0x0000000000940000-0x00000000009C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2116-212-0x0000000000940000-0x00000000009C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2116-214-0x0000000000940000-0x00000000009C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2116-213-0x000000001BEF0000-0x000000001BF02000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2116-216-0x000007FEEEC00000-0x000007FEEF59D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2224-180-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2224-166-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2224-167-0x0000000000D60000-0x0000000001CEC000-memory.dmp

            Filesize

            15.5MB

            Download

          • memory/2700-198-0x0000000000560000-0x0000000000561000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2732-137-0x00000000012B0000-0x000000000223C000-memory.dmp

            Filesize

            15.5MB

            Download

          • memory/2732-150-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2732-136-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2792-207-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2792-196-0x0000000000A30000-0x0000000000AB0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2792-197-0x0000000000A30000-0x0000000000AB0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2792-194-0x000000001D070000-0x000000001D082000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2792-195-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2792-192-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2792-191-0x0000000000A30000-0x0000000000AB0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2792-190-0x000007FEEF760000-0x000007FEF00FD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2840-215-0x0000000000470000-0x0000000000471000-memory.dmp

            Filesize

            4KB

            Download