General

  • Target

    Server.exe

  • Size

    37KB

  • Sample

    240621-qr8r6swakm

  • MD5

    82c4ad86a871bbf87d2fb06c7ae77b1f

  • SHA1

    956ce301fd037c369a0d1ba684029cd29c83cdc9

  • SHA256

    f592037c09c10079bac9e36b932827e2028ebedd4ef230c984d4f890913b1c0b

  • SHA512

    ef79e56b8d1f8d76dd4c90abff7d998e628ae14e468e3fd7e98708866e874a2be5332d7f5fbcaf4f3d4a5a506e7ab67b7da5cf8ed36f4c1279db79f547d5a8e0

  • SSDEEP

    384:iluvEiTbdvpWNcZ0y8fBC1zHtuLkimh2JrAF+rMRTyN/0L+EcoinblneHQM3epzs:0uZTZ38fBC1z0tmerM+rMRa8NuoDt

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

User

C2

0.tcp.in.ngrok.io:13970

Mutex

d9022b470b50018046185f06ba0c6075

Attributes
  • reg_key

    d9022b470b50018046185f06ba0c6075

  • splitter

    |'|'|

Targets

    • Target

      Server.exe

    • Size

      37KB

    • MD5

      82c4ad86a871bbf87d2fb06c7ae77b1f

    • SHA1

      956ce301fd037c369a0d1ba684029cd29c83cdc9

    • SHA256

      f592037c09c10079bac9e36b932827e2028ebedd4ef230c984d4f890913b1c0b

    • SHA512

      ef79e56b8d1f8d76dd4c90abff7d998e628ae14e468e3fd7e98708866e874a2be5332d7f5fbcaf4f3d4a5a506e7ab67b7da5cf8ed36f4c1279db79f547d5a8e0

    • SSDEEP

      384:iluvEiTbdvpWNcZ0y8fBC1zHtuLkimh2JrAF+rMRTyN/0L+EcoinblneHQM3epzs:0uZTZ38fBC1z0tmerM+rMRa8NuoDt

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks