Overview

overview

10

Static

static

10

Setup/Setup.exe

windows10-2004-x64

8

Setup/hidserv.dll

windows10-2004-x64

1

Setup/hlink.dll

windows10-2004-x64

7

Setup/hmkd.dll

windows10-2004-x64

1

Setup/hnetcfg.dll

windows10-2004-x64

1

Resubmissions

18/01/2025, 23:49 UTC

250118-3t948szkgk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup.zip

  • Size

    346KB

  • Sample

    250118-3t948szkgk

  • MD5

    2bb6ee5e68c1042aaad2e0d33a279f93

  • SHA1

    7f7bd9b09e1bcd3eba0bef4e42b0066ecf3cece0

  • SHA256

    76e7d47eb1ab002d0536d9c2e073eb9286c9ce78aff2d9ac042e7c01916a2712

  • SHA512

    618a930a8d3df5092278c15303326fa149aea5757e8d5ad8e054aaacaedb51d409f987a75fd489a19c426a2b2d5b36ec3f63c1f7bc1b1b70cdd06bd8e75c3b28

  • SSDEEP

    6144:ZnVt5WDMqx82+hn5dXsPx9+HCwIsKDQeWVIbZhhoWmud+b:VrMDMqx82onv8Z98QpeGZXosc

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

3.121.113.182:1337

Mutex

0cf848bcebf5d082d484e0ffe1e8f23e

Attributes
  • reg_key

    0cf848bcebf5d082d484e0ffe1e8f23e

  • splitter

    |'|'|

Targets

    • Target

      Setup/Setup.exe

    • Size

      37KB

    • MD5

      e3383ba53ecebb2ecb7063fcccff17dc

    • SHA1

      cd1384e86f194f95c8939418d30c80c56c412645

    • SHA256

      07eaa040d73e39f53851533c8c09d92cd3228d099236e3995b19b4c8a1c15ada

    • SHA512

      563f952147c529230824ae6feaababb3ccbe7eca324d71892d2d4f68ffc0eb6eaf1edce29662c63563cd1f7c6de6e4468b35e2b96a7eb43c93aa7367c2877d34

    • SSDEEP

      384:LpRWUiDZblmJEpRGyEff1PNN0CYSmkhrAF+rMRTyN/0L+EcoinblneHQM3epzXPL:9R6HpR9Eff1P0Clm8rM+rMRa8NuxZt

    Score
    8/10
    discoveryevasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      Setup/hidserv.dll

    • Size

      56KB

    • MD5

      1969d81e14152856fd487a773740700d

    • SHA1

      fe8c2191fdedef664807a8dc42fd675985e262a4

    • SHA256

      5794a44a7c0236090f9a3eaabd4d3981b7bb36aeb65efcec8e096ffafe49d3a0

    • SHA512

      e67b65b0be445241d89629ae17f053ddbc4414429e2fc1c1f533781102928895583dbdccd3a201f146bb9268e86905745bcbc5fd80e50dc7028b8c8fbae3003b

    • SSDEEP

      768:D1wpKL4nq5QJXMvhaqJuzX8I8S2cpODc6cBS+4+9rK:hAnAQXscZvpOwPwIu

    Score
    1/10
    behavioral2

    • Target

      Setup/hlink.dll

    • Size

      160KB

    • MD5

      8342acb306d837da7627f58159ebd910

    • SHA1

      90d84bb0b369d13c38d30e40b6a7c83481e330da

    • SHA256

      4aa272633cf76867a6029fb54c8de50441b8df3b5e11cb956edacdc0cbb19e78

    • SHA512

      e38e174b508c43531e497d8c48dcbc7121cc4744c2680b5f17164f4340032f9336cd1ddc3049a5b33bf93663ebc9d71262b84cd73a298514bf6fd4871879a406

    • SSDEEP

      3072:SkvtlaOK/CxHHUpvA8Yk/j+eI6CbiMLPdJSKsQkfzB+PlhjPvp41h9dL0s2Ko2IG:SkllaOK/CtHU5A8Yk/j+eI6CbiMLPdJq

    Score
    7/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral3

    • Target

      Setup/hmkd.dll

    • Size

      80KB

    • MD5

      258daa23beb5c5a06f87a3ab88462102

    • SHA1

      b974e56114aeecc3abd0c6a97449e6ddcb186545

    • SHA256

      74e20a558bc612f9aafa3d2a38b15015429816fbb461cafa1bc79d954448153a

    • SHA512

      ffc0f3b8836609cedeca27311750395cd75b1b18d9b0a31c6f28573f2a4e33718814e0f2e4b34be06042526220cc2bde25130025f62591b175dd733258c1e909

    • SSDEEP

      1536:p5Ch7DaNQg1ut82AA8Sr3S+vDpj/8SY9O4:p5ChHaWuSrC+Fj/8Sj4

    Score
    1/10
    behavioral4

    • Target

      Setup/hnetcfg.dll

    • Size

      497KB

    • MD5

      3d3632994a7f06aa528e203b98982f0d

    • SHA1

      4602f4a7793ae16cb96e69d73a11639524cf5262

    • SHA256

      b71ae6f590a0db09fdcf16671c78da41cfa2a3f52f5893a0a9345e618b69942e

    • SHA512

      f67e758491a0634b6c195ca6d00996ff1ae886706d178e6ddc1b8bf7d01200c3b3e2353a0274f781b37717583c6d3cfa642be732fc9bf289cab4acccb98fbff7

    • SSDEEP

      12288:KBRqMSP8ZQHlazwS77KxebbeHXDjXrOrcebhBo5zQc6GiNql+2kOkyFLCHzw9cFN:MRqMSTHUzwYKEbbeHvrOrcebhBo5zQcQ

    Score
    1/10
    behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.