njrat | 5c854b85f62ea27660d8a371bd085771d17812e21ac1066a80f176dd5ee6e791 | Triage

Sharing

General

Target

Umbrella.flv.exe
Size

93KB
Sample

250111-vsnkvatrez
MD5

e0c869b42c00f9a6f37200c870e410af
SHA1

e8533ba02dff440c2ed561d012a5f7db931dbe63
SHA256

5c854b85f62ea27660d8a371bd085771d17812e21ac1066a80f176dd5ee6e791
SHA512

6f14952004d9df8d5b6c79b2afd669b4b75851ff72ddff49f5b8ebba5fc04a64716dcd77761a863bc3dfb1bcef00591b7431056774efd72c296fe29fcd3fce43
SSDEEP

1536:GyIQIBlfGQFk2ZonmzlMxjEwzGi1dDhDIgS:GyOtFk2ZonmZMOi1dFx

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

e007e9b2e208cd7d8d369a9919370c04

Attributes

reg_key
e007e9b2e208cd7d8d369a9919370c04
splitter
|'|'|

Targets

- Target
  
  Umbrella.flv.exe
- Size
  
  93KB
- MD5
  
  e0c869b42c00f9a6f37200c870e410af
- SHA1
  
  e8533ba02dff440c2ed561d012a5f7db931dbe63
- SHA256
  
  5c854b85f62ea27660d8a371bd085771d17812e21ac1066a80f176dd5ee6e791
- SHA512
  
  6f14952004d9df8d5b6c79b2afd669b4b75851ff72ddff49f5b8ebba5fc04a64716dcd77761a863bc3dfb1bcef00591b7431056774efd72c296fe29fcd3fce43
- SSDEEP
  
  1536:GyIQIBlfGQFk2ZonmzlMxjEwzGi1dDhDIgS:GyOtFk2ZonmZMOi1dFx
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation