General

  • Target

    sound.vlc‮.exe

  • Size

    75KB

  • Sample

    240713-pmhvhszhrj

  • MD5

    1433bbece031ccbe6685a79c78bf9dfb

  • SHA1

    8ce809797df81b6ecaa5bde6e4e4e957d55dd046

  • SHA256

    6e7ea9a72f087f30cc74d88c46b13661fddb32d7e5f2719b453d509bd1cb2f9c

  • SHA512

    81824de2a061762e3bb69c22cbe7e7d68dfd212ab15249ca771c196c11fb2b61f70d0f8b35f7142315a94f55566ae5582417f30a08899e1b0a8915ed648780cd

  • SSDEEP

    1536:OIR7IMUoN36tWQviFw1cxfFiBnvA8fLteF3nLrB9z3nh5aF9bBS9vMUdS1EAd8II:b9IMUoN36tWQviFCc1sBnPfWl9zLaF92

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

LOX

C2

127.0.0.1:15240

Mutex

Chrome.exe

Attributes
  • reg_key

    Chrome.exe

  • splitter

    |Ghost|

Targets

    • Target

      sound.vlc‮.exe

    • Size

      75KB

    • MD5

      1433bbece031ccbe6685a79c78bf9dfb

    • SHA1

      8ce809797df81b6ecaa5bde6e4e4e957d55dd046

    • SHA256

      6e7ea9a72f087f30cc74d88c46b13661fddb32d7e5f2719b453d509bd1cb2f9c

    • SHA512

      81824de2a061762e3bb69c22cbe7e7d68dfd212ab15249ca771c196c11fb2b61f70d0f8b35f7142315a94f55566ae5582417f30a08899e1b0a8915ed648780cd

    • SSDEEP

      1536:OIR7IMUoN36tWQviFw1cxfFiBnvA8fLteF3nLrB9z3nh5aF9bBS9vMUdS1EAd8II:b9IMUoN36tWQviFCc1sBnPfWl9zLaF92

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks