General

  • Target

    фист раткой.exe

  • Size

    25KB

  • Sample

    240819-ygx7pawfpl

  • MD5

    2d3ce34d9950c1a3ec508524828c93fa

  • SHA1

    28a3580bd72fa2bc44cafff9544dbbe067712616

  • SHA256

    983b7c21d2da6a27ce7b4cad2418feb61b509afb4c8ee7e25f49936a3f0bf940

  • SHA512

    573a2c475ce285d458b8ef366f7ea9c5555079dd419ee86c5190806105478820879698edd27b81c861def1d6e11274b75b7e681691103556dac804185d6ba214

  • SSDEEP

    768:svpxYtEjd7vY58g3StZQLQgpdv1lJ4ztX:QWEzY58sSALLXtlazx

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

fistan

C2

senior-feeding.gl.at.ply.gg:11937

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      фист раткой.exe

    • Size

      25KB

    • MD5

      2d3ce34d9950c1a3ec508524828c93fa

    • SHA1

      28a3580bd72fa2bc44cafff9544dbbe067712616

    • SHA256

      983b7c21d2da6a27ce7b4cad2418feb61b509afb4c8ee7e25f49936a3f0bf940

    • SHA512

      573a2c475ce285d458b8ef366f7ea9c5555079dd419ee86c5190806105478820879698edd27b81c861def1d6e11274b75b7e681691103556dac804185d6ba214

    • SSDEEP

      768:svpxYtEjd7vY58g3StZQLQgpdv1lJ4ztX:QWEzY58sSALLXtlazx

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks