Overview

overview

10

Static

static

10

Setup/Setup.exe

windows11-21h2-x64

8

Setup/hidserv.dll

windows11-21h2-x64

1

Setup/hlink.dll

windows11-21h2-x64

7

Setup/hmkd.dll

windows11-21h2-x64

1

Setup/hnetcfg.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup.zip

  • Size

    346KB

  • Sample

    250119-zs89rswjdw

  • MD5

    2bb6ee5e68c1042aaad2e0d33a279f93

  • SHA1

    7f7bd9b09e1bcd3eba0bef4e42b0066ecf3cece0

  • SHA256

    76e7d47eb1ab002d0536d9c2e073eb9286c9ce78aff2d9ac042e7c01916a2712

  • SHA512

    618a930a8d3df5092278c15303326fa149aea5757e8d5ad8e054aaacaedb51d409f987a75fd489a19c426a2b2d5b36ec3f63c1f7bc1b1b70cdd06bd8e75c3b28

  • SSDEEP

    6144:ZnVt5WDMqx82+hn5dXsPx9+HCwIsKDQeWVIbZhhoWmud+b:VrMDMqx82onv8Z98QpeGZXosc

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

3.121.113.182:1337

Mutex

0cf848bcebf5d082d484e0ffe1e8f23e

Attributes
  • reg_key

    0cf848bcebf5d082d484e0ffe1e8f23e

  • splitter

    |'|'|

Targets

    • Target

      Setup/Setup.exe

    • Size

      37KB

    • MD5

      e3383ba53ecebb2ecb7063fcccff17dc

    • SHA1

      cd1384e86f194f95c8939418d30c80c56c412645

    • SHA256

      07eaa040d73e39f53851533c8c09d92cd3228d099236e3995b19b4c8a1c15ada

    • SHA512

      563f952147c529230824ae6feaababb3ccbe7eca324d71892d2d4f68ffc0eb6eaf1edce29662c63563cd1f7c6de6e4468b35e2b96a7eb43c93aa7367c2877d34

    • SSDEEP

      384:LpRWUiDZblmJEpRGyEff1PNN0CYSmkhrAF+rMRTyN/0L+EcoinblneHQM3epzXPL:9R6HpR9Eff1P0Clm8rM+rMRa8NuxZt

    Score
    8/10
    discoveryevasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

    • Target

      Setup/hidserv.dll

    • Size

      56KB

    • MD5

      1969d81e14152856fd487a773740700d

    • SHA1

      fe8c2191fdedef664807a8dc42fd675985e262a4

    • SHA256

      5794a44a7c0236090f9a3eaabd4d3981b7bb36aeb65efcec8e096ffafe49d3a0

    • SHA512

      e67b65b0be445241d89629ae17f053ddbc4414429e2fc1c1f533781102928895583dbdccd3a201f146bb9268e86905745bcbc5fd80e50dc7028b8c8fbae3003b

    • SSDEEP

      768:D1wpKL4nq5QJXMvhaqJuzX8I8S2cpODc6cBS+4+9rK:hAnAQXscZvpOwPwIu

    Score
    1/10
    behavioral2

    • Target

      Setup/hlink.dll

    • Size

      160KB

    • MD5

      8342acb306d837da7627f58159ebd910

    • SHA1

      90d84bb0b369d13c38d30e40b6a7c83481e330da

    • SHA256

      4aa272633cf76867a6029fb54c8de50441b8df3b5e11cb956edacdc0cbb19e78

    • SHA512

      e38e174b508c43531e497d8c48dcbc7121cc4744c2680b5f17164f4340032f9336cd1ddc3049a5b33bf93663ebc9d71262b84cd73a298514bf6fd4871879a406

    • SSDEEP

      3072:SkvtlaOK/CxHHUpvA8Yk/j+eI6CbiMLPdJSKsQkfzB+PlhjPvp41h9dL0s2Ko2IG:SkllaOK/CtHU5A8Yk/j+eI6CbiMLPdJq

    Score
    7/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral3

    • Target

      Setup/hmkd.dll

    • Size

      80KB

    • MD5

      258daa23beb5c5a06f87a3ab88462102

    • SHA1

      b974e56114aeecc3abd0c6a97449e6ddcb186545

    • SHA256

      74e20a558bc612f9aafa3d2a38b15015429816fbb461cafa1bc79d954448153a

    • SHA512

      ffc0f3b8836609cedeca27311750395cd75b1b18d9b0a31c6f28573f2a4e33718814e0f2e4b34be06042526220cc2bde25130025f62591b175dd733258c1e909

    • SSDEEP

      1536:p5Ch7DaNQg1ut82AA8Sr3S+vDpj/8SY9O4:p5ChHaWuSrC+Fj/8Sj4

    Score
    1/10
    behavioral4

    • Target

      Setup/hnetcfg.dll

    • Size

      497KB

    • MD5

      3d3632994a7f06aa528e203b98982f0d

    • SHA1

      4602f4a7793ae16cb96e69d73a11639524cf5262

    • SHA256

      b71ae6f590a0db09fdcf16671c78da41cfa2a3f52f5893a0a9345e618b69942e

    • SHA512

      f67e758491a0634b6c195ca6d00996ff1ae886706d178e6ddc1b8bf7d01200c3b3e2353a0274f781b37717583c6d3cfa642be732fc9bf289cab4acccb98fbff7

    • SSDEEP

      12288:KBRqMSP8ZQHlazwS77KxebbeHXDjXrOrcebhBo5zQc6GiNql+2kOkyFLCHzw9cFN:MRqMSTHUzwYKEbbeHvrOrcebhBo5zQcQ

    Score
    1/10
    behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks