njrat | c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b

Target

vir.exe
Size

336.1MB
Sample

240729-zt8dvsvcmb
MD5

bc82ea785da1180a8a964b3e54ad106c
SHA1

4c1952ce778455af8ed10dca7b9f77d7815e8d0a
SHA256

c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
SHA512

62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
SSDEEP

6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes

encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
install_name
Romilyaa.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows 10 Boot
subdirectory
SubDir

Targets

- Target
  
  vir.exe
- Size
  
  336.1MB
- MD5
  
  bc82ea785da1180a8a964b3e54ad106c
- SHA1
  
  4c1952ce778455af8ed10dca7b9f77d7815e8d0a
- SHA256
  
  c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
- SHA512
  
  62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
- SSDEEP
  
  6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33
Score

10^/10

njrat quasar umbral romka discovery evasion spyware stealer trojan upx
- Detect Umbral payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Password Policy Discovery

T1201

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Umbral payload

Quasar RAT

Quasar payload

Umbral

njRAT/Bladabindi

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Password Policy Discovery

AutoIT Executable

Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2