njrat | cbbd4d987c1f2368de89953f3d2ab06a803806faaab1d116d6c72cf11a93cbb2 | Triage

Sharing

General

Target

Bootstrapper.exe
Size

37KB
Sample

241201-2bmqjszlgk
MD5

92fd66073b9a4f83ee5257d4dfc611fb
SHA1

87377414dd581082a1e5d26633f2aa9838d26062
SHA256

cbbd4d987c1f2368de89953f3d2ab06a803806faaab1d116d6c72cf11a93cbb2
SHA512

f0e24cac627234e2556e7ce1b1634c32f0b17380850e3d956d35d6f92d1489dcad2fdcb799abbdf0d8169dff0d9c3da7a5672bf84899481368ed6909d6b19c95
SSDEEP

768:Ob3MDF3lFdS7IVW5mae2rM+rMRa8Nuvyt:Ob6F3lPSUVW5op+gRJNE

Score

10^/10

njrat boykisser discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

boykisser

C2

eg-womens.gl.at.ply.gg:7999

Mutex

2be7fcfaf2fb2c0121ad0a1c26b16a25

Attributes

reg_key
2be7fcfaf2fb2c0121ad0a1c26b16a25
splitter
|'|'|

Targets

- Target
  
  Bootstrapper.exe
- Size
  
  37KB
- MD5
  
  92fd66073b9a4f83ee5257d4dfc611fb
- SHA1
  
  87377414dd581082a1e5d26633f2aa9838d26062
- SHA256
  
  cbbd4d987c1f2368de89953f3d2ab06a803806faaab1d116d6c72cf11a93cbb2
- SHA512
  
  f0e24cac627234e2556e7ce1b1634c32f0b17380850e3d956d35d6f92d1489dcad2fdcb799abbdf0d8169dff0d9c3da7a5672bf84899481368ed6909d6b19c95
- SSDEEP
  
  768:Ob3MDF3lFdS7IVW5mae2rM+rMRa8Nuvyt:Ob6F3lPSUVW5op+gRJNE
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation