njrat | a1c489cce0663f3ec6b057a16f951d455b04458553803b07dd356ea4e3ccba2f

Sharing

Copy URL

Twitter E-mail

General

Target

Neverluse2.zip
Size

11.9MB
Sample

250115-w1tmhaslem
MD5

4a8ca7f758c5b8429f2c7bbfc6ba33a4
SHA1

f5d238a837c5d9ae2faaae09c01b90abd7a6753d
SHA256

a1c489cce0663f3ec6b057a16f951d455b04458553803b07dd356ea4e3ccba2f
SHA512

726f03f77d77716d56493594a9d59a0e5e2d76cd1434eb2a7d279f35b26f7056b930bf86532b147fbfcefec612c727d04e17f81f5256fb567341bfe205550e32
SSDEEP

196608:Ti+e553UgECAf+VLyHIZKpMKMXKhIIrAH87shgx4G+1yOAvQ1pn0u9I/wvNePM5I:Tewjj+pnawB/1Sg94gNNJX7yZ

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5555

Mutex

181a74d35475c4a2137967893bc3cc88

Attributes

reg_key
181a74d35475c4a2137967893bc3cc88
splitter
|'|'|

Targets

- Target
  
  Assets/D3D12/D3D12Core.dll
- Size
  
  5.4MB
- MD5
  
  7fc05c9a8366d19302dfd13d09d3ebac
- SHA1
  
  df07482f58cc84c439979548682cc44c48471a06
- SHA256
  
  8710110eccf43a32e5e1a04552cb344832922a0cd23caeecb764e18bd5cdffa8
- SHA512
  
  68385bde06684b0e9ea809372f151cd266cc4f9c3be14be0127a2e7468538f453c7da434ef5ddd9f751dcc054032dc6c7baa2bc5bbebd1c6ea3e5d148a931c1d
- SSDEEP
  
  49152:DDcfp0Vm21RnkVNaAFiEVTmZA+kkIwaaKsb7Xvdq0SpZcxNom7nLMzh3:Tg21Rn7rImnbDNw
Score

1^/10
behavioral1 behavioral2
- Target
  
  Assets/D3D12/NeLuse.dll
- Size
  
  13.2MB
- MD5
  
  d564b96c6c93363d2bf9c26c17a0750f
- SHA1
  
  46d334c16b1a5d44e5f0aa9441f43112512da2ec
- SHA256
  
  9be2c031999fb8093ea281796ef54081b3f425fcd63ec102f13752053a50b111
- SHA512
  
  e80c1a019d6e921eedd99ba340b327ead97843a0ed36ad69057bc56d3d7ef6bf3549ce84ac4c2f31a7a8db5172eaf008438bb5aa47cb60e0837f4d27a0af5e71
- SSDEEP
  
  98304:a+c5Nn4FeH0GnROrT/RM45oiMYk41QUsgvWJAeDd7gjGJerIIQsY2e+w3dqip:oIgHeAinOUSJAeDx6PY2ezE
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Assets/D3D12/opengl32.dll
- Size
  
  3.9MB
- MD5
  
  6d55a77ccc995de3759c18fa25a6a424
- SHA1
  
  e267453f77ec20c91520c0a9243cf25099483c41
- SHA256
  
  b1238496bd6f4f934711dfc5795f127d81564e7c384ea540f971c60b21086de9
- SHA512
  
  23d9eb432e8c2c33b447261acc33effde712ee8f2dd6f494a1837cf3329a927f7b0adf9388dbeb9783ffe36d7be8c07f0607730ac150405b42baa5a93edc5bdb
- SSDEEP
  
  49152:dU9yC/2CfySoGMEG1ONdI+hUhHUcwrHxH8eQi7Ec4AjFxkqMAVEvJJ4ePLBvznHh:dsOhtMMwtJAMxfcpPd
Score

1^/10
behavioral5 behavioral6
- Target
  
  NL.exe
- Size
  
  93KB
- MD5
  
  f0c234db804898229a7e3bdea180f915
- SHA1
  
  2c61d230f86552e80bf59e6e21546a8dce6f3452
- SHA256
  
  a62ee0552b21391d0e2898786f9ec2473eb21d2e7a69aad9737862835f00f377
- SHA512
  
  e438734c8811875e8efbea1d6a4ec153ae01a666274c0d8d0751fda6175df3b8f09058f1d7627cabd7b84d873ec31e2407a414c38ecce0797d2718d67beff900
- SSDEEP
  
  768:8Y3UbnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3EsGg:gbxOx6baIa9ROj00ljEwzGi1dDcDCgS
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  Plugin/1.dll
- Size
  
  367KB
- MD5
  
  c3e8ff959a4027bc8cd67e26d3003370
- SHA1
  
  5469f8a06813027ab3f8bcfaf4d5c87810ab347a
- SHA256
  
  afda8e5fb125e27aa1062365ab4b77c4fa3acd14a6e435ab7ddde18644266af3
- SHA512
  
  d0f461200daa100f6d05320c538d793e662f9ddfb13fa70351bb1bdf21cf7a1c256d284c3378551d288d7275cfa9cb32e84cdb13e7bc49ca4b5483d8ef999f15
- SSDEEP
  
  6144:ELPgpcVH6h+9Ve/B2Gmzoun1YUqqlkLqa8vcvIjlk0Hrg5eplNpi:EceD9uB+ca1Yg0qakwIjKU1Nw
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Plugin/10.dll
- Size
  
  1.1MB
- MD5
  
  e3bf65ce42edca6891fb7123711ace2c
- SHA1
  
  455a838ce4c51976faa9312ae212d7fc82ff7e19
- SHA256
  
  4d04ead199b9f3433314ac5a4c5466d0ce5e4c43e2fdd381ae0d6a1e705e6f1e
- SHA512
  
  1bce779f1afc8a10c9dffe245ebfb9c46c69cf805cc24dfbb5edfe6e3577b0b34e7ee59763a31e05579f22a584628c10c87fcfb6e9f180d16a0648b6fe05f490
- SSDEEP
  
  24576:2cMzcRP/NYt1FxJlZfY+4VHM9gJppE2ZiH8BnoTsHa0GMG:2HcZN4FTfYxHHoHuoTV2
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Plugin/2.dll
- Size
  
  271KB
- MD5
  
  07194ab187366cab46972f2f2f1ef0b5
- SHA1
  
  14927d4482a318004a42a5cf8cc40ad08673a302
- SHA256
  
  7ab30a602581387fa97faf7f8100d2c98bd3407372f723f805f2346addb7d008
- SHA512
  
  989720c17fca490d1fb3a6166f713b07410b0525c7ee142d192de4f5a044f904633b3eb8c3e83f8448bc7ee3da5cb448711067025cdf037d20cf1e9d18131446
- SSDEEP
  
  6144:HLPgpcVH6h+9Ve/B2GmzountZ0MGr33cPuWG69SvplN2r:HceD9uB+caYMIcmWG69SLNU
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Plugin/3.dll
- Size
  
  223KB
- MD5
  
  fc2c601bba0029124a120db3035b5652
- SHA1
  
  a56b3b16e0814ed4da024ab2eee968c17c004698
- SHA256
  
  666f19c5d6528c4e071b4414aa410eae3497c809107739db87e39374ceb8593c
- SHA512
  
  0c49ad30c8bbf125fa3a47ac63d862063b8feadd87968356237a7df08b8cf4ed4b66e1a8852303b32f6d8ff168a24743fc7adeb94de4aa6f72aed3f2c279b95c
- SSDEEP
  
  3072:hLXfgUssa+sVyMMH6h+xr0we/4E2Gd0NRW5H76QM4o+aeMMf6W9plNNAGExB:hLPgpcVH6h+9Ve/B2GmzounxW9plNWl
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  Plugin/4.dll
- Size
  
  202KB
- MD5
  
  621ff03775382229afbc039efba07212
- SHA1
  
  3bcf1669b70df52059d2fb5c9025ad3fd30170ad
- SHA256
  
  d22944f50fdbe7b9fc55807ebca0275e59a0ede94226e2ce365bc507bc96ec68
- SHA512
  
  3168bb66d0e2a72df58c46275916fc9cd1d92512b4221fc0259859904d174f9a4b4cec3ff43ec91e4a084ebe4cbfd7349cfba230b1e56403bf36a711d2d8b90b
- SSDEEP
  
  3072:NLXfgUssa+sVyMMH6h+xr0we/4E2Gd0NRW5H76QM4o+aeMyzBplN1AiENh:NLPgpcVH6h+9Ve/B2Gmzoun4plNud
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  Plugin/5.dll
- Size
  
  292KB
- MD5
  
  54b06dbc99832ca8a54232351af21059
- SHA1
  
  42367bca4add1792f841f9c20bf8d6a6410c0ae1
- SHA256
  
  4b6914d1ca3c871a2e79d54bb19a7a66e207548214b215698ac3371595cecb5a
- SHA512
  
  e49dbe7b2a58dc5be68cc79aca83a090486786454d03461ae256f5a0b098d8e00f18032bf1eddd7ed7e863580b8c463771704df404009d3ba1b375b4ec9bd87a
- SSDEEP
  
  6144:iLPgpcVH6h+9Ve/B2GmzountmmJwBISoHVgmRuPOLaplNZW:iceD9uB+cat3JKbFDOuNE
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  Plugin/6.dll
- Size
  
  628KB
- MD5
  
  633b07e6516aea1d677b8d64bfcb04e7
- SHA1
  
  8f55062fbec6bea8f8cb689e5228cb0f4b759b59
- SHA256
  
  0d01cc53ba6630b8bae7674cfd4deebe6cb0c9e5d2029e3f29c0bc25b2760207
- SHA512
  
  456207a76294bfc5f8f88b3c893b1d931604f935a67770349d6ef831674a65de73ed6d01b2c51c0a3499c30543e5011490b0ebfb34598d00504f1574adae3df4
- SSDEEP
  
  12288:RceD9uB+caZ042+6tMOfLEawCDQuPBFjXwR0F+SbNV:RcMzcRG8pBVwyNb
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Plugin/7.dll
- Size
  
  31KB
- MD5
  
  ba2d32d8118f59ae4aab0bae941542ed
- SHA1
  
  b627f2ffb0c8d82e8b9413228a8b75e70d716f2e
- SHA256
  
  814ac620ea996b45e8c0fc55ae57e10c11add1cf4fbe9d260a5f13052051b420
- SHA512
  
  1181d91e843f1a51248e4080fe91539d77c749125017fb3a1382da3c7b15317337510a0e18827a7ef6ad091c66ff70801f68597895e81c08e6daf96ca0ade839
- SSDEEP
  
  384:ZokI7SgVV+17QwkSoL20gNjhlLk245nKuk4Z/jKeK:an07QnaHjh5m3K
Score

1^/10
behavioral23 behavioral24
- Target
  
  Plugin/8.dll
- Size
  
  259KB
- MD5
  
  8ca640310df5533abc19acd7dabc829e
- SHA1
  
  38d126c7d252c5aa5963be1022060869bb3daea9
- SHA256
  
  06b3345a22309557ec7168efe1d4bb48a6180a9643faa472c9c90b004ce0a1ac
- SHA512
  
  a7d699d09e0e78815e842eae633b44c03ad0c974985cf2faa4f8f64ab8ceec164f75390f120170847c59a4f09d9bcb3ab0c3f0377afa5cdf834b4612528a15df
- SSDEEP
  
  6144:WLPgpcVH6h+9Ve/B2GmzounAbvkteYu6eYsvSplNH0:WceD9uB+caAbvZYA/v6NU
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  Plugin/9.dll
- Size
  
  469KB
- MD5
  
  1a018036c48b4cd8e0c7d1a7ebea06a9
- SHA1
  
  8ec946a133f07bf62754caddf3a884020f430f8d
- SHA256
  
  45aa36d007d27ca8e9659cd004a98f048b232161202553da643c4d1df3427459
- SHA512
  
  a8a8cbb9a1bfbdbe610bcde92d49674ee155d11fb6992dcd74551926fb3c1d8c2eebc773655638f785079961129cc9112718f2d4764812bbca9f085d3d7bd79a
- SSDEEP
  
  12288:BceD9uB+caeL5rWxh9FnOl5T3e2Vzdb3Cl9WNNg:BcMzcDL5yxhfnk5TnhVk9m
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Plugin/Andex.dll
- Size
  
  100KB
- MD5
  
  6032ce8ceea46af873b78c1f323547da
- SHA1
  
  8c5bd4a70e0f21aeba41c07976ace2919b64fd80
- SHA256
  
  19dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7
- SHA512
  
  3ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe
- SSDEEP
  
  1536:CQvlJNxwHPmtN2dWWWQmMTuAip6XIbY6i32Kf3oKwfTjK2f20:CQNwaFET6p6XOY6i32U3BwfPK2e0
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Plugin/Duck.dll
- Size
  
  63KB
- MD5
  
  d7d46952778a85491b34f62991a060d4
- SHA1
  
  ff30ef03867eb74f2454375cbe3508ee26b07163
- SHA256
  
  5d1217e2c9e820c3e7b2fc28fab4e40d85e0e9f4362e66a451e42d597b8c2650
- SHA512
  
  7c9b4c254a1977d1a16ac3aa8ce81d897eeda4465e51c9f0cbe2c03326cc6c3bb7acb89d8d1f4ce1dec03118574b57f30a3400b2dc47b70aa87bfd2f4f99f8bc
- SSDEEP
  
  1536:miaFJkobMa8dBXu2IbV3DKyBzYDEBUhYW:miEbMRdBXnUV3DKyBzYDEal
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Drops autorun.inf file

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32