njrat | b26f3837d1069076e8e4a4e0dd77c0a375452a8f1829bfdb9bcbc44e01d3347f | Triage

Sharing

General

Target

C0D3X17 (123).rar
Size

37.5MB
Sample

250205-xv98qs1mgp
MD5

6fd4cf19af37d9fc8860f00675d3d068
SHA1

1b1d72a7d677c1f982d7b46054e904f8619040f4
SHA256

b26f3837d1069076e8e4a4e0dd77c0a375452a8f1829bfdb9bcbc44e01d3347f
SHA512

3cf415dda7f6fc27a5e2a022e837178a4f4ef3e78373cc14454ba1e85aa467308d1fa81a09293a4d7e1c7dd6a6511d1492e9b46654d99af4e98cc18361de154c
SSDEEP

786432:JCqf2YINtXHgh1EiZwgEMLFuBwhamncUpFKJnBh/4UF10hxKqu+J3xtKadQ:IFYINtaEU4MRk4cQFKJBh/NFuxKqP3xu

Score

10^/10

njrat xworm defense_evasion discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

1VeDwfujGeaxOsgJ

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  C0D3X17 (123).rar
- Size
  
  37.5MB
- MD5
  
  6fd4cf19af37d9fc8860f00675d3d068
- SHA1
  
  1b1d72a7d677c1f982d7b46054e904f8619040f4
- SHA256
  
  b26f3837d1069076e8e4a4e0dd77c0a375452a8f1829bfdb9bcbc44e01d3347f
- SHA512
  
  3cf415dda7f6fc27a5e2a022e837178a4f4ef3e78373cc14454ba1e85aa467308d1fa81a09293a4d7e1c7dd6a6511d1492e9b46654d99af4e98cc18361de154c
- SSDEEP
  
  786432:JCqf2YINtXHgh1EiZwgEMLFuBwhamncUpFKJnBh/4UF10hxKqu+J3xtKadQ:IFYINtaEU4MRk4cQFKJBh/NFuxKqP3xu
Score

10^/10

njrat xworm defense_evasion discovery execution persistence privilege_escalation rat trojan
- Detect Xworm Payload
- Njrat family
  njrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratxwormdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojan