njrat | 74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9 | Triage

Submit
Reports

Overview

overview

Static

static

3

niggers.exe

windows10-2004-x64

Resubmissions

04-12-2024 14:38

241204-rz18qstmbl 10

04-12-2024 13:22

241204-qme93awpgz 10

Sharing

General

Target

241204-p9yjgs1nbp_pw_infected.zip
Size

14.1MB
Sample

241204-rz18qstmbl
MD5

ffddb4d8714809e17e1e1b19cb085b8c
SHA1

e7b635844b198af1e84fe00aad8c322eeafea51a
SHA256

74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9
SHA512

26cece41f6bb1903398813116c0fc27a25c205ee0ae6ae930fe7fe263f60cb86a0cfc76c40cef5851671e7c11191a8e45b27b1ef55222b6575abe7bf2cfe309e
SSDEEP

393216:kBkHW+0ozLt+tYFj37O1/CKw+JFu/HObglFPh8OW:k+HN7LtFp37O1/yC7gbPU

Score

10^/10

njrat ta505 xworm execution pyinstaller rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

niggers.exe

Resource

win10v2004-20241007-en

njrat ta505 xworm execution rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://176.111.174.138/usersync/tradedesk/_rp

Extracted

Family

xworm

Version

5.0

C2

week-dictionary.gl.at.ply.gg:12466

Mutex

WIHzy7HOqD8TiFlq

Attributes

Install_directory
%AppData%
install_file
PowerShell.exe

aes.plain

Targets

- Target
  
  niggers.exe
- Size
  
  14.3MB
- MD5
  
  8a44ee98217bc81f0869d793eefab1f0
- SHA1
  
  4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
- SHA256
  
  c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
- SHA512
  
  4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
- SSDEEP
  
  393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Score

10^/10

njrat ta505 xworm execution rat trojan
- Detect Xworm Payload
- Njrat family
  njrat
- TA505
  Cybercrime group active since 2015, responsible for families like Dridex and Locky.
  ta505
- Ta505 family
  ta505
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratta505xwormexecutionrattrojan

© 2018-2025

Terms | Privacy