njrat | ea98c9bf854db4937cdd2f7430d21d72169cb3a5f676ffc41e71659b250438d2

General

Target

Setup_Update.zip
Size

346KB
Sample

241218-1fby6ssmbt
MD5

eb751de314ba1859e4fa6ace8ac7bc51
SHA1

c47e21d1db58017a96811bf73d96933f0bafb0ce
SHA256

ea98c9bf854db4937cdd2f7430d21d72169cb3a5f676ffc41e71659b250438d2
SHA512

c8b7547b90498d20790ab941642b8e128e75ea9585c7dd749805e597cd214720d23e5d4761b8fbea058bc28a5343c2dc123e9a251da2ea72cc7584f6648713ca
SSDEEP

6144:jnVs5WDMq+8Z+hn5dXsPx9+HCwIsKDQeWVIbZhholaE4bX:7yMDMq+8Zonv8Z98QpeGZXola1bX

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HACK

C2

35.159.113.6:1337

Mutex

d8dd25933bbb5fc191f7e51a861b997a

Attributes

reg_key
d8dd25933bbb5fc191f7e51a861b997a
splitter
|'|'|

Targets

- Target
  
  Setup_Update/SetupUpdate.exe
- Size
  
  37KB
- MD5
  
  4389854ab6bd814b908dbe1c68e23845
- SHA1
  
  a4f2e5c7b686105c6d9100b71fbd6b028cf530d9
- SHA256
  
  a49aca0e07fbf1c5f485c12ba3b49c50a843a739c891e2c91d150764599ab6c3
- SHA512
  
  aa4403e28a0001d9c259f8ce4b3e4f2ed9649fc58fd8a2f1ec12141a819b9751b5c012f06b5caad8f6656ae06224b1b134e31932f8e3ce2c4c0fd387028384e1
- SSDEEP
  
  384:P/2m3hUidkiXR21cGMy8PuuRXBiFlK6IurAF+rMRTyN/0L+EcoinblneHQM3epz9:n2m3VLGv8PuuR066XrM+rMRa8Nuvdt
Score

10^/10

njrat hack discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  Setup_Update/hidserv.dll
- Size
  
  56KB
- MD5
  
  1969d81e14152856fd487a773740700d
- SHA1
  
  fe8c2191fdedef664807a8dc42fd675985e262a4
- SHA256
  
  5794a44a7c0236090f9a3eaabd4d3981b7bb36aeb65efcec8e096ffafe49d3a0
- SHA512
  
  e67b65b0be445241d89629ae17f053ddbc4414429e2fc1c1f533781102928895583dbdccd3a201f146bb9268e86905745bcbc5fd80e50dc7028b8c8fbae3003b
- SSDEEP
  
  768:D1wpKL4nq5QJXMvhaqJuzX8I8S2cpODc6cBS+4+9rK:hAnAQXscZvpOwPwIu
Score

1^/10
behavioral2
- Target
  
  Setup_Update/hlink.dll
- Size
  
  160KB
- MD5
  
  8342acb306d837da7627f58159ebd910
- SHA1
  
  90d84bb0b369d13c38d30e40b6a7c83481e330da
- SHA256
  
  4aa272633cf76867a6029fb54c8de50441b8df3b5e11cb956edacdc0cbb19e78
- SHA512
  
  e38e174b508c43531e497d8c48dcbc7121cc4744c2680b5f17164f4340032f9336cd1ddc3049a5b33bf93663ebc9d71262b84cd73a298514bf6fd4871879a406
- SSDEEP
  
  3072:SkvtlaOK/CxHHUpvA8Yk/j+eI6CbiMLPdJSKsQkfzB+PlhjPvp41h9dL0s2Ko2IG:SkllaOK/CtHU5A8Yk/j+eI6CbiMLPdJq
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral3
- Target
  
  Setup_Update/hmkd.dll
- Size
  
  80KB
- MD5
  
  258daa23beb5c5a06f87a3ab88462102
- SHA1
  
  b974e56114aeecc3abd0c6a97449e6ddcb186545
- SHA256
  
  74e20a558bc612f9aafa3d2a38b15015429816fbb461cafa1bc79d954448153a
- SHA512
  
  ffc0f3b8836609cedeca27311750395cd75b1b18d9b0a31c6f28573f2a4e33718814e0f2e4b34be06042526220cc2bde25130025f62591b175dd733258c1e909
- SSDEEP
  
  1536:p5Ch7DaNQg1ut82AA8Sr3S+vDpj/8SY9O4:p5ChHaWuSrC+Fj/8Sj4
Score

1^/10
behavioral4
- Target
  
  Setup_Update/hnetcfg.dll
- Size
  
  497KB
- MD5
  
  3d3632994a7f06aa528e203b98982f0d
- SHA1
  
  4602f4a7793ae16cb96e69d73a11639524cf5262
- SHA256
  
  b71ae6f590a0db09fdcf16671c78da41cfa2a3f52f5893a0a9345e618b69942e
- SHA512
  
  f67e758491a0634b6c195ca6d00996ff1ae886706d178e6ddc1b8bf7d01200c3b3e2353a0274f781b37717583c6d3cfa642be732fc9bf289cab4acccb98fbff7
- SSDEEP
  
  12288:KBRqMSP8ZQHlazwS77KxebbeHXDjXrOrcebhBo5zQc6GiNql+2kOkyFLCHzw9cFN:MRqMSTHUzwYKEbbeHvrOrcebhBo5zQcQ
Score

1^/10
behavioral5