njrat | 81031472eeb908ed589389691db52b4f98b54feb7b4756ae3cf2321bb7c76bf9 | Triage

Submit
Reports

Overview

overview

Static

static

Nursultan.exe

windows10-2004-x64

Sharing

General

Target

Nursultan 1.16.5 crack (cracks).zip
Size

15.3MB
Sample

250121-bg5kfaylcj
MD5

aca81aadc27c1b40b00ac14f323e9506
SHA1

457b19a782c7db0d85180faf0ed0653599a35cb6
SHA256

81031472eeb908ed589389691db52b4f98b54feb7b4756ae3cf2321bb7c76bf9
SHA512

753331d330a974b8f49bb3dea4faaa5fece1f96d184649320c80a9f6f5744e957c8c74d37551e3678860110e03c8cd3458034eb7f576ea2552661bf4334b1034
SSDEEP

393216:vhQ1KOoR8fUjRO+UxSOCE4hHYEeN2RjhT6/EkLmTJ:vhfOoRlR1TgGHxjU/JuJ

Score

10^/10

njrat xworm discovery execution persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Nursultan.exe

Resource

win10v2004-20241007-en

njrat xworm discovery execution persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

Ymniiz-29322.portmap.host:29322

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Targets

- Target
  
  Nursultan.exe
- Size
  
  16.0MB
- MD5
  
  beaee64bd6a530d7a69b85ab1bf2a96e
- SHA1
  
  aafa8607eac3f3ac39d762920fe51e9b2a86eddb
- SHA256
  
  8d34437645bea72a222b0655712350a2f8cbd6c9cd8418ee7e04716a1af0adc6
- SHA512
  
  156e6a3e16c9fde1691a79afb054e2d872f95ef2ead55c5313e89ad2c799149e7c5656e04774e119cfd99de2afd1661cc60bcd43a16617aee3d78c81c2c5108b
- SSDEEP
  
  393216:i/JFQOEKdqGdVgT7uOPXtWV0HVvvoP7cI/NG1CMkCCk3Brj:6KOEKd9dK7uOPXtW8otAwMkCCuBf
Score

10^/10

njrat xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Njrat family
  njrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratxwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy