Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

8

Loader.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    celestial.zip

  • Size

    17KB

  • Sample

    241018-lwdelsshkp

  • MD5

    dceebedf4fa5e053c6d34fa74e87d5d1

  • SHA1

    aead3ea51c1c361fff05f01ce8349bd06294a358

  • SHA256

    9e6846f018d8b872d54cbf3327bb0db39652e984dc7a673afca518ac102a73f1

  • SHA512

    016f82122af81c8560fffbbe11b4a17a08c278419937035850f5030be16244506338047bb908fbb45605d2f27ecf4f493a90d368acadb4042186d4cbcc6c85bc

  • SSDEEP

    384:rmcHIponibHpdbsFX1BiT+ZVQoyFGQmsee/pdgbt0Kwoe7o5T:tGHpeh7LZN6UBe/YJwosoJ

Score
10/10
njratnoobdiscoveryevasionpersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

noob

C2

7.tcp.eu.ngrok.io:17304

Mutex

1d465bba0c8a1a9fd459e1c5d5c1ba98

Attributes
  • reg_key

    1d465bba0c8a1a9fd459e1c5d5c1ba98

  • splitter

    |'|'|

Targets

    • Target

      Loader.exe

    • Size

      37KB

    • MD5

      22c0fec4bc0c886d299d216891bd02db

    • SHA1

      fbf6d7bc49d08f134d452fc8bdb11e8d4028d82b

    • SHA256

      b8ca201a6fd97c451f50d63a1731a61ac415ddbaef4268003d8a7221fe5b2ffc

    • SHA512

      1b1c1c3da8ca4905914d53604b7969a0a340e4d162d49108f665732dc3d15de57aae0598e4e9be3f7a0ebc91bb0115f92e968df18acd7bedd73620c95de7d7e9

    • SSDEEP

      384:zW/gUiDrblmJEpRGyEfdDPTuWCYqAlLrAF+rMRTyN/0L+EcoinblneHQM3epzXJ7:C/yHpR9EfdDCWClAprM+rMRa8Nurvht

    Score
    8/10
    discoveryevasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks