General

  • Target

    Server 2.exe

  • Size

    93KB

  • Sample

    240622-zxqm8aycrl

  • MD5

    ec6bedfc8918668daf892b946d8d8998

  • SHA1

    ee4ef91775da5314e87bda7bd6bdeb6a8479ce0c

  • SHA256

    c661d366b4023b33cbd80de638f69f3784150b1158ea7241bf01ea1f3cdaaf81

  • SHA512

    c1c5829fa03f7b3e4021fec8d051623412e1d7807beb3c144e0e1f148561310289dbb1365ed1e6c031328005e1ae26b15603f90600417ffea14d73a04d384607

  • SSDEEP

    768:8Y3zeZFKghFchQVTqWnwz/1h3XE/blczxXSsvXxrjEtCdnl2pi1Rz4Rk3msGdph3:ne/K6bTq8itNE2VhjEwzGi1dDiDhgS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Debil

C2

hakim32.ddns.net:2000

127.0.0.1:446

Mutex

cc405cae27ac73abb849a970df5f673a

Attributes
  • reg_key

    cc405cae27ac73abb849a970df5f673a

  • splitter

    |'|'|

Targets

    • Target

      Server 2.exe

    • Size

      93KB

    • MD5

      ec6bedfc8918668daf892b946d8d8998

    • SHA1

      ee4ef91775da5314e87bda7bd6bdeb6a8479ce0c

    • SHA256

      c661d366b4023b33cbd80de638f69f3784150b1158ea7241bf01ea1f3cdaaf81

    • SHA512

      c1c5829fa03f7b3e4021fec8d051623412e1d7807beb3c144e0e1f148561310289dbb1365ed1e6c031328005e1ae26b15603f90600417ffea14d73a04d384607

    • SSDEEP

      768:8Y3zeZFKghFchQVTqWnwz/1h3XE/blczxXSsvXxrjEtCdnl2pi1Rz4Rk3msGdph3:ne/K6bTq8itNE2VhjEwzGi1dDiDhgS

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks