njrat | f6e3d9034d0dfbb89293fd65389ab7c841de4fe37dc2de3a2f4fd3e0b2f4c0d0

Sharing

Copy URL

Twitter E-mail

General

Target

kwish client.rar
Size

47.6MB
Sample

240625-mpx14svcqb
MD5

2c4defeddf54dbc4deee5b55bcf93f88
SHA1

21b80af8d67782b6e19565d1f49efda1f6df11e2
SHA256

f6e3d9034d0dfbb89293fd65389ab7c841de4fe37dc2de3a2f4fd3e0b2f4c0d0
SHA512

992b0ef9230d77ee9640bfc1993759b0e648cf9e90bdf4a368823918e9fb1517e7df29a82fad75429b0955c353950675e80befa48d120804ad9e9f75224abc2d
SSDEEP

786432:8QZfL5zY5ppbbDg0+AfOq67O9EcycNrJ8V14O7doM3dM6WrROYX1teuqZIourH+g:8Jbn1fWq67O9audI4YoM3dlWrEI16IHP

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

park-curve.gl.at.ply.gg:38826

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  KwishClient/KwishClient.jar
- Size
  
  60.1MB
- MD5
  
  1fa329e9876bb9d14e463a4aae3534e4
- SHA1
  
  b20480b592e07a2ffbf217c8621b21cfa666290a
- SHA256
  
  69aa16e8f240e4411ff3771f69bbb605b20781dea020ecaaf6ffdae6ab43ca3c
- SHA512
  
  f20182a5cc8048a2ae446ad0dd2fea83eb3223b4195a893d5350853261f76c9fa3aa6141cfee45ae3d9611b88304fbf4f0e981c8ead806a28c5d2ccfcfdbee83
- SSDEEP
  
  1572864:uQTQqzcknx98oxGxZ1Yh6ZTxNU6hwRKcuQns5FXjCv:uQTemx98oxGxZ1LZTBhwRLX0Xo
Score

7^/10

discovery
- Modifies file permissions
  discovery
behavioral1
- Target
  
  KwishClient/Start.exe
- Size
  
  25KB
- MD5
  
  17d3aede5181494ef3a4a00513a84398
- SHA1
  
  caaacb5eb2582abc96af355c4cd7ce33863521d2
- SHA256
  
  7695430fc6530b309257c463264469f1f2c8dc5053ccd50876b196a9d73b9a5f
- SHA512
  
  482bf196726c4f87fedaa7b90bf18c61b4e24a78cc5479f59a2b0e2a76649f9c2ea2444899d42d9d6113182b39b7486e32483f0664bfa9f08435c45f812b4624
- SSDEEP
  
  768:svpQGEN3DpCuhp8mpSrVHyF49Fu9wq1U/XdZU4jFl:Qr4dCuhRpSZyzRuFZ7H
Score

10^/10

njrat umbral hacked discovery evasion execution exploit persistence ransomware spyware stealer trojan
- Detect Umbral payload
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Possible privilege escalation attempt
  exploit
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral2
- Target
  
  KwishClient/resources/OpenAL.dll
- Size
  
  1.0MB
- MD5
  
  a21338306c8027ebc459c57db8459777
- SHA1
  
  dc8f7a5704164fe3dff3631c326bab7159a9358d
- SHA256
  
  1e128050e6ecd9da7a030f76b24d93a1dcb7de55b02d80cd2e2683818e895b5a
- SHA512
  
  eb80fc1924985db488175ee87389cf8ce7e851f78370f339a77ff09d7323ce5fee2e63e3562d299a6436a4d5f31cce0194fe2d1c9c4cc47809ba6d3cfb8a47eb
- SSDEEP
  
  24576:Xr0+fjUIVeMqRF/HuYDstAyAS7vUipuBuAEgFpti33Ja:PjF7qRF/HYrZvUnBuAjpti33M
Score

1^/10
behavioral3
- Target
  
  KwishClient/resources/OpenAL32.dll
- Size
  
  982KB
- MD5
  
  bea36e6601b1b9c5dc85eb66cb438887
- SHA1
  
  aa3fa9446b7c1264e2b463bb53946718e4f8ce82
- SHA256
  
  ac63e0bc581a1fd7ac0bd2553a10913e31ff8eedfe356816dfad186c427ca5ba
- SHA512
  
  9f589c418098efc6341a536634e4a59a7fad22af6f83042c101f22da524fd89057d4eeb420986e22a9499a2690938da15203e9dad0e0e57571a800bfeaa418dd
- SSDEEP
  
  12288:oh6tnSOepf4az4/DZMyLt3r4BZ7cgDT2h49aUydbyaQ/0Z0x/5MPYjUdFpti3pxN:ohTzKukl8D2hZpuBuAjgFpti33/NL
Score

1^/10
behavioral4
- Target
  
  KwishClient/resources/SAPIWrapper_x64.dll
- Size
  
  83KB
- MD5
  
  214a0bc5ae5882495d94f7779d64b323
- SHA1
  
  c4a293116e7531d950db2d5ea737e61a9912b61d
- SHA256
  
  a8b701f1ed640bfc7e842f9bc07dd493fad3284f15bc1fa9dfc15371733d6326
- SHA512
  
  0da432d50569f753c0c9831b8854732c0e23fb382ef36d17a1d460e8e4c431495ce0358cc658da87d19e39c58230370423a58adabdf3f92a578a2279d84a7e58
- SSDEEP
  
  1536:/0tGA00KTHlHZeCbxnnQOzAGg1wsWjGpRsBQ+8/iJyzfGdc9dlVkloExc:/0tgTTFHZj9nnQOz1I0GpRsBQ+8/iJyZ
Score

1^/10
behavioral5
- Target
  
  KwishClient/resources/SAPIWrapper_x86.dll
- Size
  
  70KB
- MD5
  
  3d47e750e4ec109d441a427ab8b37614
- SHA1
  
  70e85ab3f880a7c3d5f0a9aae0f65661cb8af5a6
- SHA256
  
  fa69dab9c06f3cdeb8bd7c1b017fb072ba4262682ea21a2e723f00a78f86dc29
- SHA512
  
  c24579b0ec34bae0533997b3b4511fd3d590fce0d7881e6f6cda3c763437ecf525aabc203a6dbea4b3c912c3d4f989580ffe2021e9c482fa65d3f53117fe4ea5
- SSDEEP
  
  1536:Gw3pkA45KEsgSCd5m89ZqQQ4hxsWXGcd38haRoD:asFwHx1hj38haRG
Score

1^/10
behavioral6
- Target
  
  KwishClient/resources/glfw.dll
- Size
  
  347KB
- MD5
  
  532f9686b0b55b3d7cf9f6733f29ba28
- SHA1
  
  9d95a8f52cbd48ab87937714eb4fd2129ed10f0a
- SHA256
  
  7cc30e89f7fd61ca8532b4ecb9e05598cf426d0a336bc382a128e28b824a8962
- SHA512
  
  6e6fe022238e69565fed6cb85fa74b913aed187487da4133a3e14b7eca230bbf5d70c8ab88d02b15e68a0a10549130ff2b0f2eb7d85ef3af8f92218327cfadfc
- SSDEEP
  
  6144:BzJVXAXWofCvG4AnlKVGb8Z7ESBI5yTAdj:BzJVQXW6CvFAlOxzG
Score

1^/10
behavioral7
- Target
  
  KwishClient/resources/glfw32.dll
- Size
  
  326KB
- MD5
  
  5c7b7a7e9ceedd779ddf531ea58db8e9
- SHA1
  
  b9a18c65931b474a453cca5b20903220975f0fc9
- SHA256
  
  db38ee25b700dd4228f844ad22569c155cc3b13ea3940576832a8a9051acfa05
- SHA512
  
  fb5e42cd087776b9fdbc55fc90e2345c7735a9dcf52dc3c9917df344e9b4a84b338e15192a648d480bad27544176ee4430440f3f94c181870708b8bf70906b6a
- SSDEEP
  
  6144:KP2tJ7heVTpbUEazsvJezmofinyAOYTi2O:htiTpYDoJe6SIO
Score

1^/10
behavioral8
- Target
  
  KwishClient/resources/jemalloc.dll
- Size
  
  248KB
- MD5
  
  cdcaa2d4874a0aaab526c52e1fff2fea
- SHA1
  
  8a6eb00b934da6c97b0dc9d2dc321843076c8987
- SHA256
  
  b147a3cc1fce8a514a558a030fe647a4a91761769eedec1c1ca2be1cd712a9e8
- SHA512
  
  270ae883818c2cea891c3efae717aa3f455c902721ad80441b0f2b28e58bf9aeba67bb1fb65d76f20d09a4c937a089ee1018439b3815b9fcdb7d7fdcce704853
- SSDEEP
  
  6144:5ISPvZG+86Mzlpb2mnk5uIXhy3hKT4W5i6wb:5n86MppbkxwKMb
Score

1^/10
behavioral9
- Target
  
  KwishClient/resources/jemalloc32.dll
- Size
  
  191KB
- MD5
  
  93aeb5ec9f94134784373f370d295a61
- SHA1
  
  0d3c5c4d18d9a60501bce1f586684cd2fc5c466f
- SHA256
  
  7270b1d189c68d3fb655411d0e7002bc9b131328b3cff726946e8fe16fe5b09a
- SHA512
  
  2e79b858977c6d39e4380cbee3d70b01d4d47c4291f2af6f510f222f29cca53e2de68d6c6b0cf030eb43fb60ab8807756fadae59a8583f69d0f734f9bbe6453f
- SSDEEP
  
  3072:dREMI0SsPaw8FtirHatxHkeaoPg2UYsCMGUd5liXSE0RM:PbPawm0utRaoP1dX6M
Score

1^/10
behavioral10
- Target
  
  KwishClient/resources/lwjgl.dll
- Size
  
  439KB
- MD5
  
  310adc26c92b020fb6d2944092d81312
- SHA1
  
  d01410449d2402a952e9a6063699f1868196883f
- SHA256
  
  207fcf6f27e60600772d202f52ba00edcd085048da30523d3ac03092dd30f873
- SHA512
  
  db4c6f1c8accea57ad395be51f3fd673cd5577b955ea5051ffd2269c1fa62437e18753104499ecd0af954fd5fc6a9478a13f499f68dc1e12295823f7120ede2d
- SSDEEP
  
  6144:02gUXvUg6HVz/8rCkEZK+rY1ELoR18+D:02gUXvUnF/m8VNkR3
Score

1^/10
behavioral11
- Target
  
  KwishClient/resources/lwjgl32.dll
- Size
  
  419KB
- MD5
  
  b8ea778d75b1150ec0eec59d764e57cd
- SHA1
  
  a7aa4fbaa375fd39c4cb8eabeef45b44d5848bcb
- SHA256
  
  8c9490c5267a615bf0d90a84066628791a453aa30abbe86a8424281b8cdbfc79
- SHA512
  
  38e10e2cca2079dace6c4f1089d453844cf2b9eb65b0cd01800b478bfcc6117098366ef8547af71fc13d619574ac879ff259698c2d45023ca4a9214616f33495
- SSDEEP
  
  6144:7s1xf0LNGSd4e1uakLRm8KMbh23nuR+BF2QTX/MhV7:7af0LjDlk88K4yho7
Score

1^/10
behavioral12
- Target
  
  KwishClient/resources/lwjgl_opengl.dll
- Size
  
  333KB
- MD5
  
  780ed18868c28c0c249379982ea3297a
- SHA1
  
  8e9836dd0d1691356db654aa02533ad80e9bf52c
- SHA256
  
  92aec0f2b142a56ad8f361919ee0e6b387c92269efc9645071db6561ae9b6324
- SHA512
  
  430136fa22df4753c460ba4f3bfe18f9be1b1d0f0b59deedb9d5ba1e1db54ae5da3a74c3951eb59ae0b8760b5b6806373a76811c5b6f69f18bd966978f5d0e1f
- SSDEEP
  
  3072:4LVyef0be4PP+OI7RSW3Dm/W99vMdvBAoF/5OZX2lh2mH3+F5Tye:MVrQnXrW3iWCaZeO
Score

1^/10
behavioral13
- Target
  
  KwishClient/resources/lwjgl_opengl32.dll
- Size
  
  316KB
- MD5
  
  68b37c18052fb770e77477e1e53a3428
- SHA1
  
  2e0fe073b23ab972af00025097efcfcb446d927f
- SHA256
  
  8fc4d3f3c0e0a7114f0caec7f2e734fec7e7294ab33696f1557a01e86c0ff128
- SHA512
  
  bd49a00e8e162f1c501649f71fc0a73ca72b7a433a654ab4dd19703d75f7575f195efba9bda1f2f9246f171a0e562972024cf65135c4f774adccb8c10e031561
- SSDEEP
  
  6144:hET0PjEp8p1PWjIe9Oz+0zHWIXYtrR9A5:CWlWF92
Score

3^/10
behavioral14
- Target
  
  KwishClient/resources/lwjgl_stb.dll
- Size
  
  488KB
- MD5
  
  236817b9ba4f101e25518f1158b7691f
- SHA1
  
  8b047fb3f6c31946fe33157e7912ac31595cd3b8
- SHA256
  
  64b424ce5142ce23b43e2e2bc5cc8543add7c0037a151b279e4e17aa7f7600a0
- SHA512
  
  bc5624cc4b08f75247ff6c53f737be9938199273a45065a8fb05b6057aa7bbd1a39a1b59adb86d952a2680080dbb1ef3483a8e054029f0bf62395e0c551dbe9c
- SSDEEP
  
  12288:kJ3JRsrmLj3DyaVfBrWFWplDFRWeotDqR:UngmLTDyaVJrWQXDFgeUqR
Score

1^/10
behavioral15
- Target
  
  KwishClient/resources/lwjgl_stb32.dll
- Size
  
  432KB
- MD5
  
  a0e616c8b75575f45497864d650005ec
- SHA1
  
  1c28819763f77cbb4593a95b1cbb0999f136695d
- SHA256
  
  1907bb0e022628fc624d7c3b002e9b79e056d789d6c7578f7f046ea414ac16d5
- SHA512
  
  04cba7e7fb2c87cf5f4a9ab6f68eb0f6e8d32c3841a0a68505d7b612f1a52387b423069fc3732036c5cbabc8e933c429f6d8820ad3d50b293d0fb2a06de3c83f
- SSDEEP
  
  6144:e9HIdmzLf0gDa0lhSSwGEZ5FIh/wqdmJsUWcZEfupWGhAOcsxz:6HI0Lf0SxlhSxG6gwYFUWVfIhKgz
Score

3^/10
behavioral16
- Target
  
  KwishClient/resources/lwjgl_tinyfd.dll
- Size
  
  209KB
- MD5
  
  5dc7452c51330beb7a178d7093cdac49
- SHA1
  
  ec0fd8007afba6697d5b3b8249b5be27096a0ce8
- SHA256
  
  696a87865bf27f2cb9bc866e6d75e1a4ee3e8c469180cb9f8ebb90a2af876d10
- SHA512
  
  a671123d7ea2f5dd2f307e19627b456b7a1fe62920c64cb08fdcc4be5f0ba017c5b72a0e9ba428fa5996a82584e039818bc41051b7e883d70252b69926f82716
- SSDEEP
  
  3072:7+Oyz6WBIDhWW3gDYP1EKvqotQZGXNKSMYghpYCS1DQmdJQFACZ1sai3Uzz2KC:7+zxShWW3gDYtC7cXfMY63S1ag/bK
Score

1^/10
behavioral17
- Target
  
  KwishClient/resources/lwjgl_tinyfd32.dll
- Size
  
  178KB
- MD5
  
  ae277b62653af1bdbb27b73ea98970bb
- SHA1
  
  079540a19727772f056cd80535e9645a674190b4
- SHA256
  
  432b6f80da7799b582178996575953da2eddfbff6bfef3202724eb4f85a10ffc
- SHA512
  
  37bf032cb8249973953a8f190e97c664dc99f83b232997bffd0fd677e3913ed2961fd9c116f64ee04c45d9e0e62e200bd814f95929d62d16a1b5eddffa351f19
- SSDEEP
  
  3072:6R4pzFYxU7Y1YEdDv7WB8Y8FLhYwBJ+2FBP1AUbUsPZnk7SWzs7yZu/SjXXQKzR:oyzFztEd/FY8FFYwC2LNAuPZkzsj/J
Score

3^/10
behavioral18