General
-
Target
408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24N.exe
-
Size
1.2MB
-
Sample
241216-njkdhaykdt
-
MD5
b6d84da1e7884359bfae8fa18aaf8a80
-
SHA1
c01a49d30d94f1b9d0d908ab9d7afd50f5bd2375
-
SHA256
408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24
-
SHA512
8bd8da789f8050e05913fc823e8b04469f87c5902a1d0a38225a61a5593052e718fea1609b06a2e90dbfe355f1c77de0511a1f0ed7b8538fca6f670642cd140a
-
SSDEEP
24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaW7aWvCaFg5a7PCmWX95FC:Jh+ZkldoPK8YaW7CaZ7IHc
Static task
static1
Behavioral task
behavioral1
Sample
408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24N.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
njrat
0.7d
redlanhopto
redlan.hopto.org:5553
d25d360449d7bab3069e1b77b3a914a3
-
reg_key
d25d360449d7bab3069e1b77b3a914a3
-
splitter
|'|'|
Targets
-
-
Target
408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24N.exe
-
Size
1.2MB
-
MD5
b6d84da1e7884359bfae8fa18aaf8a80
-
SHA1
c01a49d30d94f1b9d0d908ab9d7afd50f5bd2375
-
SHA256
408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24
-
SHA512
8bd8da789f8050e05913fc823e8b04469f87c5902a1d0a38225a61a5593052e718fea1609b06a2e90dbfe355f1c77de0511a1f0ed7b8538fca6f670642cd140a
-
SSDEEP
24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaW7aWvCaFg5a7PCmWX95FC:Jh+ZkldoPK8YaW7CaZ7IHc
-
Njrat family
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1