General

  • Target

    PornHub.exe

  • Size

    303KB

  • Sample

    240618-w7fzzsyclq

  • MD5

    9b95850ba61105402a304d85c4b2fb63

  • SHA1

    82b7de9e072659cb44c4dce2b8fef57ea2824b2f

  • SHA256

    9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b

  • SHA512

    87828c6af036b083c0ca9bd4781b79a5be137e6a8b333b6aa81f44fba03568f743a327bf16c4b2995d42f4408f956a8846a7a2e2dd6d60ccf13418a7ff505f8c

  • SSDEEP

    6144:A0JfijNKuI9z1Uf2ysujR69SLDAoqLvqKSM4OHGobVKSZ+u:A0JfijNKuI9z1UWSo8Sou

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

LOX

C2

127.0.0.1:17799

Mutex

svchost.exe

Attributes
  • reg_key

    svchost.exe

  • splitter

    |Ghost|

Targets

    • Target

      PornHub.exe

    • Size

      303KB

    • MD5

      9b95850ba61105402a304d85c4b2fb63

    • SHA1

      82b7de9e072659cb44c4dce2b8fef57ea2824b2f

    • SHA256

      9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b

    • SHA512

      87828c6af036b083c0ca9bd4781b79a5be137e6a8b333b6aa81f44fba03568f743a327bf16c4b2995d42f4408f956a8846a7a2e2dd6d60ccf13418a7ff505f8c

    • SSDEEP

      6144:A0JfijNKuI9z1Uf2ysujR69SLDAoqLvqKSM4OHGobVKSZ+u:A0JfijNKuI9z1UWSo8Sou

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks