njrat | c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2 | Triage

Sharing

General

Target

F2LNJ_loader.exe
Size

5.4MB
Sample

241010-mv35bazcll
MD5

916f7dea6831485387d70b0891455e65
SHA1

176e995cc2584d7c9703b2beee0994dcc4be91d5
SHA256

c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2
SHA512

ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4
SSDEEP

98304:m52dhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:+sBtGVD+OoUq8+SZ1hAVpRRjw6Q

Score

10^/10

njrat umbral xworm hacked discovery evasion execution persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1260642804414156891/hKfLDYiwORnJS0u7NEs9WPwqTyOYiJyHsbqndD7MezE-rhVSLHFDRhBZ_hNqb3v9ZoeE

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

147.185.221.20:49236

Mutex

6a8a3b6e5450a823d542e748a454aa4c

Attributes

reg_key
6a8a3b6e5450a823d542e748a454aa4c
splitter
|'|'|

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Targets

- Target
  
  F2LNJ_loader.exe
- Size
  
  5.4MB
- MD5
  
  916f7dea6831485387d70b0891455e65
- SHA1
  
  176e995cc2584d7c9703b2beee0994dcc4be91d5
- SHA256
  
  c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2
- SHA512
  
  ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4
- SSDEEP
  
  98304:m52dhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:+sBtGVD+OoUq8+SZ1hAVpRRjw6Q
Score

10^/10

njrat umbral xworm hacked discovery evasion execution persistence privilege_escalation rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratumbralxwormhackeddiscoveryevasionexecutionpersistenceprivilege_escalationratstealertrojan

behavioral2

njratumbralxwormhackeddiscoveryevasionexecutionpersistenceprivilege_escalationratstealertrojan