Extracted

Extracted

• • Target

    lmlmdos.exe

  • Size

    23KB

  • MD5

    5eb67cac2f9ef8a548ba327896909cda

  • SHA1

    b8f3612f2d00c581387b02a615ad178874b51329

  • SHA256

    f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

  • SHA512

    40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

  • SSDEEP

    384:XweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZQy:oLq411eRpcnuI

  Score

  10^/10

  njratadwarebootkitdefense_evasiondiscoverypersistenceprivilege_escalationstealertrojanhackedxwormrat

  • Detect Xworm Payload

  • Njrat family

    njrat

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Disables Task Manager via registry modification

    defense_evasion

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1behavioral2behavioral3behavioral4behavioral5