General

  • Target

    New Client.exe

  • Size

    178KB

  • Sample

    240622-r5z8masblg

  • MD5

    1889ac6b7826d878d00cd26083cd42f7

  • SHA1

    8514faaeea994385f78b1ded818dd14b2ccf4526

  • SHA256

    9e4e496db20db336f254e3ac6cadc64d8d8fd4cb67f41ea344a07fcf7a0838e3

  • SHA512

    16e202f1599a4e62eb2e6d7d20672040411bc14b122af23dbfe778faac84ce2da809b5a16501d46313582003c7a82f730db3b58b544d716db42b9741dadc2e3d

  • SSDEEP

    3072:hNscw0oN36tKQviFCcRBnjfWl9zPaF9bcYvMl4NpVq8BxFRzaqF+o2GQJ7/JzqVy:hsY9zkvMlgVqwlL

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

LOX

C2

127.0.0.1:14500

Mutex

Word.exe

Attributes
  • reg_key

    Word.exe

  • splitter

    |Ghost|

Targets

    • Target

      New Client.exe

    • Size

      178KB

    • MD5

      1889ac6b7826d878d00cd26083cd42f7

    • SHA1

      8514faaeea994385f78b1ded818dd14b2ccf4526

    • SHA256

      9e4e496db20db336f254e3ac6cadc64d8d8fd4cb67f41ea344a07fcf7a0838e3

    • SHA512

      16e202f1599a4e62eb2e6d7d20672040411bc14b122af23dbfe778faac84ce2da809b5a16501d46313582003c7a82f730db3b58b544d716db42b9741dadc2e3d

    • SSDEEP

      3072:hNscw0oN36tKQviFCcRBnjfWl9zPaF9bcYvMl4NpVq8BxFRzaqF+o2GQJ7/JzqVy:hsY9zkvMlgVqwlL

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks