njrat | 87a799098b81bf8dd35f62c3f40e6a5ba73adb7d551446ba36c4e37a8ab46431 | Triage

Sharing

General

Target

Windows Defender.exe
Size

37KB
Sample

240828-mbbwqavape
MD5

f183956bfef428d2010b67e7cf5fdb7f
SHA1

0b3bd6da13ef9394da1cb11152f2ce62873ae165
SHA256

87a799098b81bf8dd35f62c3f40e6a5ba73adb7d551446ba36c4e37a8ab46431
SHA512

57fa6282fa518cb66185eb1fa62ac49489b03aa1df5c2c241398c300ffed929e0843ce1199b9184236359b5bad8ec2a610847ee69087deb2a0b6719ea15889ef
SSDEEP

384:z6Rrkam6i/Cz3xAdjYWaSyFz1YXnC8W4Lt6rAF+rMRTyN/0L+EcoinblneHQM3eU:OfaC6mNhFz1Yyd4ErM+rMRa8Nuhit

Score

10^/10

njrat boykisser discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

boykisser

C2

green-morrison.gl.at.ply.gg:17455

Mutex

d83001e08eed9b05d072435f5ca1e81c

Attributes

reg_key
d83001e08eed9b05d072435f5ca1e81c
splitter
|'|'|

Targets

- Target
  
  Windows Defender.exe
- Size
  
  37KB
- MD5
  
  f183956bfef428d2010b67e7cf5fdb7f
- SHA1
  
  0b3bd6da13ef9394da1cb11152f2ce62873ae165
- SHA256
  
  87a799098b81bf8dd35f62c3f40e6a5ba73adb7d551446ba36c4e37a8ab46431
- SHA512
  
  57fa6282fa518cb66185eb1fa62ac49489b03aa1df5c2c241398c300ffed929e0843ce1199b9184236359b5bad8ec2a610847ee69087deb2a0b6719ea15889ef
- SSDEEP
  
  384:z6Rrkam6i/Cz3xAdjYWaSyFz1YXnC8W4Lt6rAF+rMRTyN/0L+EcoinblneHQM3eU:OfaC6mNhFz1Yyd4ErM+rMRa8Nuhit
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation