njrat | 611fe530fb6e67415f6a5ed53e1961180fcb89bb1caab4fed64feab511a89813 | Triage

Sharing

General

Target

Account bringer.exe
Size

37KB
Sample

241005-xsdfzszcjl
MD5

fc04578c59cd41466d533cbcd7157282
SHA1

201be3e8474ca4bfe58fd5761ea62c42645d7fd0
SHA256

611fe530fb6e67415f6a5ed53e1961180fcb89bb1caab4fed64feab511a89813
SHA512

6c661d6c05e7729a1f4abd869b2e5b24cf2b0393f65d6e36c3f7c34502dd02f91b414cc08809a12209d7decd8a2250939f4f1ba7430e472e515a4f7816340f2b
SSDEEP

768:fb3MDF3lFdS7IVW5maePrM+rMRa8Nuv/t:fb6F3lPSUVW5oQ+gRJNE

Score

10^/10

njrat boykisser discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

boykisser

C2

eg-womens.gl.at.ply.gg:7999

Mutex

2be7fcfaf2fb2c0121ad0a1c26b16a25

Attributes

reg_key
2be7fcfaf2fb2c0121ad0a1c26b16a25
splitter
|'|'|

Targets

- Target
  
  Account bringer.exe
- Size
  
  37KB
- MD5
  
  fc04578c59cd41466d533cbcd7157282
- SHA1
  
  201be3e8474ca4bfe58fd5761ea62c42645d7fd0
- SHA256
  
  611fe530fb6e67415f6a5ed53e1961180fcb89bb1caab4fed64feab511a89813
- SHA512
  
  6c661d6c05e7729a1f4abd869b2e5b24cf2b0393f65d6e36c3f7c34502dd02f91b414cc08809a12209d7decd8a2250939f4f1ba7430e472e515a4f7816340f2b
- SSDEEP
  
  768:fb3MDF3lFdS7IVW5maePrM+rMRa8Nuv/t:fb6F3lPSUVW5oQ+gRJNE
Score

10^/10

discovery evasion persistence privilege_escalation trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Enumerates processes with tasklist
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Netsh Helper DLL

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalationtrojan