njrat | 8f6daa3e0fbb154744974157de50bb44037f557bb3daafa4abb87364b16c18fa | Triage

Sharing

General

Target

8f6daa3e0fbb154744974157de50bb44037f557bb3daafa4abb87364b16c18faN.exe
Size

9.6MB
Sample

241219-y58y4aymfz
MD5

15222345d443f0778788c0dc33e2c460
SHA1

3b50c1eb5f241aa5af41ae4f6ff43b9bd5465b44
SHA256

8f6daa3e0fbb154744974157de50bb44037f557bb3daafa4abb87364b16c18fa
SHA512

590d8bbb12289f5a8d53f418820fcf5f37518e1d384259d8fa96ba40f8e7ccdfed137be142d5bfe13d4d1544ec049e0ef19da98f6e143623cfb59ea45efb129f
SSDEEP

196608:bqSmoMj2Im/4Zf/yibr/fp+Lmz1+/e9B9B5PNybSqvN8uaiUz4:blmb2X/4d/Fr/fz+/eDlJqmHM

Score

10^/10

njrat xworm hacked discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

C2

il-qualities.gl.at.ply.gg:20324

Mutex

A5Ujpekg857KU4Rl

Attributes

Install_directory
%Temp%
install_file
qt.exe
telegram
https://api.telegram.org/bot6958222883:AAFZ09ESb81nGyw8qg-gtaih83Ldbnza0y8/sendMessage?chat_id=911974952

aes.plain

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:26843

Mutex

nerist.exe

Attributes

reg_key
nerist.exe
splitter
|Ghost|

Targets

- Target
  
  8f6daa3e0fbb154744974157de50bb44037f557bb3daafa4abb87364b16c18faN.exe
- Size
  
  9.6MB
- MD5
  
  15222345d443f0778788c0dc33e2c460
- SHA1
  
  3b50c1eb5f241aa5af41ae4f6ff43b9bd5465b44
- SHA256
  
  8f6daa3e0fbb154744974157de50bb44037f557bb3daafa4abb87364b16c18fa
- SHA512
  
  590d8bbb12289f5a8d53f418820fcf5f37518e1d384259d8fa96ba40f8e7ccdfed137be142d5bfe13d4d1544ec049e0ef19da98f6e143623cfb59ea45efb129f
- SSDEEP
  
  196608:bqSmoMj2Im/4Zf/yibr/fp+Lmz1+/e9B9B5PNybSqvN8uaiUz4:blmb2X/4d/Fr/fz+/eDlJqmHM
Score

10^/10

njrat xworm hacked discovery persistence rat trojan
- Detect Xworm Payload
- Njrat family
  njrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratxwormhackeddiscoverypersistencerattrojan

behavioral2

njratxwormdiscoverypersistencerattrojan