njrat | 83b66e30244b1729ebbaf9f0921fd51c0337e638665fa1ab01e8d8237a7fe80c | Triage

Resubmissions

01-12-2024 17:18

241201-vvcala1nhl 10

02-03-2024 19:50

240302-ykm6wshc64 10

Sharing

General

Target

Server.exe
Size

37KB
Sample

241201-vvcala1nhl
MD5

b3d12b297a856103adb57f5492cd6851
SHA1

2a6ebc4e929ed73ecc3720ae01d3d16e8f7b6089
SHA256

83b66e30244b1729ebbaf9f0921fd51c0337e638665fa1ab01e8d8237a7fe80c
SHA512

54d38f293feb0cb43dbcd9c8ac3b787e087ce471ced0a0ce7aa72a24d43acdf4d5210633832a68def43fd5c6561069353fdb6eb29ced28cbebbf27c302481cb8
SSDEEP

384:b1tcaCisx/WRdL5kyc/Tant5ngCmxorAF+rMRTyN/0L+EcoinblneHQM3epzXCNV:RtcmD5nc/TaPNmyrM+rMRa8Nucpt

Score

10^/10

njrat 4elsnurikom discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

4elsnurikom

C2

6.tcp.eu.ngrok.io:12125

Mutex

c52f1e45400f62b1c170da017d840dd6

Attributes

reg_key
c52f1e45400f62b1c170da017d840dd6
splitter
|'|'|

Targets

- Target
  
  Server.exe
- Size
  
  37KB
- MD5
  
  b3d12b297a856103adb57f5492cd6851
- SHA1
  
  2a6ebc4e929ed73ecc3720ae01d3d16e8f7b6089
- SHA256
  
  83b66e30244b1729ebbaf9f0921fd51c0337e638665fa1ab01e8d8237a7fe80c
- SHA512
  
  54d38f293feb0cb43dbcd9c8ac3b787e087ce471ced0a0ce7aa72a24d43acdf4d5210633832a68def43fd5c6561069353fdb6eb29ced28cbebbf27c302481cb8
- SSDEEP
  
  384:b1tcaCisx/WRdL5kyc/Tant5ngCmxorAF+rMRTyN/0L+EcoinblneHQM3epzXCNV:RtcmD5nc/TaPNmyrM+rMRa8Nucpt
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

4elsnurikomnjrat

behavioral1

discoveryevasionpersistenceprivilege_escalation