General

  • Target

    New Client.exe

  • Size

    167KB

  • Sample

    240620-yx65jazdjj

  • MD5

    aff7f6841207d3f856b402c10b98ba3b

  • SHA1

    9c546d837abea8668bf4aba214b8d276c29e3a94

  • SHA256

    12f7ba7143aee8b5f1b1af523be033dd305c39af612b8de1057b461af934d97f

  • SHA512

    bf4c0ecb59dd80eb3e19f0435fed148bfec6ff5d5631aab20ad6e9d61839ba7c5b9cafde1a01a421d06cc492693f64fdb9abb2297afbb4ac7d9105476745fe79

  • SSDEEP

    3072:f6eOfoN36tLQviFCu9BnxpfWl9zRaF9bPYvM+UJ8T2SXZyrgoBJtbN/3MCK2kev0:fMk9zdvMA/JdSI5eb

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

LOX

C2

127.0.0.1:10935

Mutex

Microsoft Edge

Attributes
  • reg_key

    Microsoft Edge

  • splitter

    |Ghost|

Targets

    • Target

      New Client.exe

    • Size

      167KB

    • MD5

      aff7f6841207d3f856b402c10b98ba3b

    • SHA1

      9c546d837abea8668bf4aba214b8d276c29e3a94

    • SHA256

      12f7ba7143aee8b5f1b1af523be033dd305c39af612b8de1057b461af934d97f

    • SHA512

      bf4c0ecb59dd80eb3e19f0435fed148bfec6ff5d5631aab20ad6e9d61839ba7c5b9cafde1a01a421d06cc492693f64fdb9abb2297afbb4ac7d9105476745fe79

    • SSDEEP

      3072:f6eOfoN36tLQviFCu9BnxpfWl9zRaF9bPYvM+UJ8T2SXZyrgoBJtbN/3MCK2kev0:fMk9zdvMA/JdSI5eb

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks