Overview

overview

10

Static

static

10

Nursultan.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Кряк nursultan (infected).7z

  • Size

    18KB

  • Sample

    250113-epcfeaxngn

  • MD5

    4b27031492ea7a7a2d72e973c7a97385

  • SHA1

    0547e80430fc83becae1e203b87663a9b060e2eb

  • SHA256

    d2a180e00d48e26d132582c2ef6e627e12dab351d6bcf332d1c62a24abb1e480

  • SHA512

    eaccc7b1dd3bc28964d9cd43021046c64f61a3b0a9303336809513a15aaae6907d6a097875b5600a7ad3c31a39269327b0693c4296803a0fe796250523c3fa22

  • SSDEEP

    384:gICFXS5xTXP5Q7nvbWQe+KauFgvWLm8UHe/4Wsd5O6vvD/NN6qAy/Mm0:jCqxAnvcmvWK8JxUOGb/NN6tl1

Score
10/10
njratnursultandiscoveryevasionpersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

nursultan

C2

5.tcp.eu.ngrok.io:19589

Mutex

a5671f403c216314a841c2725cea04b8

Attributes
  • reg_key

    a5671f403c216314a841c2725cea04b8

  • splitter

    |'|'|

Targets

    • Target

      Nursultan.exe

    • Size

      103KB

    • MD5

      7a06426209d92396e23f69a63f5ebe42

    • SHA1

      dfb89c6b1b08bf1ab31e4f6f91a662fb8c7d38c0

    • SHA256

      4e13e856eea3db28bf07862c2de78fdb7d94bc332657f1753736d947b7fa206b

    • SHA512

      84fb50af10ac8d47fee33a8629e71fac44e3b020e6a56a8c840349de300439baa59ccf27cca5f18265a6b5db63d1db305aa92033fc4e142e7f65fbbf62147edf

    • SSDEEP

      768:udcKD5nc/Hu3NiurM+rMRa8NuT+octHB04lYx+JV6rXznA1+6Nwdh:uJD5c/u3sx+gRJNG+os04lnkH

    Score
    8/10
    discoveryevasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks