njrat | 582d37ba8e276a3b0c302e3b832c5694f73a4c464198b9880849f53ecba46a1e | Triage

Submit
Reports

Overview

overview

Static

static

why.exe

windows11-21h2-x64

Sharing

General

Target

why.exe
Size

55KB
Sample

240629-1m1acaxarg
MD5

8c9602a318802643b31578dbcfaf7a4a
SHA1

44489d5510b1b65bf61bed684eb012950440d775
SHA256

582d37ba8e276a3b0c302e3b832c5694f73a4c464198b9880849f53ecba46a1e
SHA512

e84c2831fd1ec95f95652c8d17bd7871283f3224a27e54d13327837d5ee7d267363aa6584713c21f7ff89ce96b04d25be676fde7ea9fbcec3dce1e6198a20d65
SSDEEP

1536:Z8v4Dnpe/NoTcwiDESPDJwsNMDpXExI3pmom:O4Dn8ymDRPDJwsNMDpXExI3pm

Score

10^/10

njrat umbral h2cked execution spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

why.exe

Resource

win11-20240508-en

njrat umbral execution spyware stealer trojan

windows11-21h2-x64

15 signatures

1800 seconds

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

h2cKeD

C2

away-displays.gl.at.ply.gg:26916

Mutex

daacf8c32d27b9947e8a0255b61f395d

Attributes

reg_key
daacf8c32d27b9947e8a0255b61f395d
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  why.exe
- Size
  
  55KB
- MD5
  
  8c9602a318802643b31578dbcfaf7a4a
- SHA1
  
  44489d5510b1b65bf61bed684eb012950440d775
- SHA256
  
  582d37ba8e276a3b0c302e3b832c5694f73a4c464198b9880849f53ecba46a1e
- SHA512
  
  e84c2831fd1ec95f95652c8d17bd7871283f3224a27e54d13327837d5ee7d267363aa6584713c21f7ff89ce96b04d25be676fde7ea9fbcec3dce1e6198a20d65
- SSDEEP
  
  1536:Z8v4Dnpe/NoTcwiDESPDJwsNMDpXExI3pmom:O4Dn8ymDRPDJwsNMDpXExI3pm
Score

10^/10

njrat umbral execution spyware stealer trojan
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratumbralexecutionspywarestealertrojan

© 2018-2024

Terms | Privacy