Overview

overview

10

Static

static

10

Servers.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Servers.exe

  • Size

    93KB

  • Sample

    240523-m7le2adh8v

  • MD5

    11c3d736636d5acad291182340e6e647

  • SHA1

    e64cd1bfe00a133b377797b4fee57895ed277633

  • SHA256

    17f615a23b022f18f3d61c71e03ab634f21da34ae74b0db76763c6caa49cf7d1

  • SHA512

    eebf3190b0a0529376e4dbe1b54f40880f7a8b7d93dfebc8c3a09184ccc9a867b576aafce511701a36d95c1d0b66f1b5179a839056e401189270e46370d285e6

  • SSDEEP

    768:lY3D69hWXxyFcxovUKUJuROprXtwNheYhYbmXxrjEtCdnl2pi1Rz4Rk30sGdpPgM:I6TWhIUKcuOJ2PhBjEwzGi1dDMDPgS

Score
10/10
njrathackedwevasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedw

C2

hakim32.ddns.net:2000

5.tcp.eu.ngrok.io:15949
Mutex

e9825053491379a6131c11cac9dacb5a

Attributes
  • reg_key

    e9825053491379a6131c11cac9dacb5a

  • splitter

    |'|'|

Targets

    • Target

      Servers.exe

    • Size

      93KB

    • MD5

      11c3d736636d5acad291182340e6e647

    • SHA1

      e64cd1bfe00a133b377797b4fee57895ed277633

    • SHA256

      17f615a23b022f18f3d61c71e03ab634f21da34ae74b0db76763c6caa49cf7d1

    • SHA512

      eebf3190b0a0529376e4dbe1b54f40880f7a8b7d93dfebc8c3a09184ccc9a867b576aafce511701a36d95c1d0b66f1b5179a839056e401189270e46370d285e6

    • SSDEEP

      768:lY3D69hWXxyFcxovUKUJuROprXtwNheYhYbmXxrjEtCdnl2pi1Rz4Rk30sGdpPgM:I6TWhIUKcuOJ2PhBjEwzGi1dDMDPgS

    Score
    8/10
    evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks