asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85
Size

87.1MB
Sample

250322-xn29jssp16
MD5

fb96ca35225e550b9554f9bd596d5b69
SHA1

70a02eebf9c4991a5ebd3a2e1f5e245f82af8452
SHA256

01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85
SHA512

07e6f2a42395ffcfcef026547f7608211c4444e247f84c6bb6c7331d610f600177f27865c358b6c0f391a01caccdd87b4ab7848cb1e2e8f58e9c2d2b97ef17b4
SSDEEP

1572864:1UdTZLFRQSgEONB8E6FNklDssJl+h1N3Q6cAD5hRhEvlSOEawFo:WVtQP178tFNkFah1i8DzLEvlDEaZ

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

87.121.79.75:7000

Mutex

YJMntxWUG8GqfQnk

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

vanechkin-51361.portmap.host:51361

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

valerianobritoieufsasd.duckdns.org:5023

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
calc.exe
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3230

Attributes

delay
1
install
true
install_file
Serial_checker.exe
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2020-04-24T17:41:53.492468936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
45400
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sysupdate24.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Extracted

Family

remcos

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1d90d6c35e9237c9b00a3c2b3e7ff1d0cfe709efdf26f5665743ec2533645f9c.exe
- Size
  
  98KB
- MD5
  
  e207c28adc3d625a47386442ce55f467
- SHA1
  
  faa588ea6b738213db2e74243d8c273ea7cb958e
- SHA256
  
  1d90d6c35e9237c9b00a3c2b3e7ff1d0cfe709efdf26f5665743ec2533645f9c
- SHA512
  
  2b6dd4e96d5b807967ae8650419591780a5ad4654f62af98478d248c2e5ef3c54dac260cd1fbf54109b1a2f2ed1ddee8fc2a4884da56f38e862d3fb89645a41d
- SSDEEP
  
  1536:Mfk6WICgBTnkJbO6JIhecX8zdZt7OpjDcvNkOV:cZWS7kWhvX8ZZt7qcvNrV
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  1dbfa6282eedc723ebe57ace23fd6b68.exe
- Size
  
  32KB
- MD5
  
  1dbfa6282eedc723ebe57ace23fd6b68
- SHA1
  
  c827aeb5c20acd10fc7eeccfb77bb0b17b2ac1d5
- SHA256
  
  8b5265c26284a2cddfd6cd0735381743b93964efe675dfad9b7ac22447d6d9e7
- SHA512
  
  f4043281ac6bbb6db64b2cab28fe3aa5ae5ce7936f3fb474ed48d253fb5f7c18ab81ee6c4267131d150763c9bf180603c64868561f6d0c2e2c76ccf33ddd1ba4
- SSDEEP
  
  384:wLSL7PAjc57sSI8j9fu5dzNWW8/q1Ey9D9Qq1jz6XYi2VX/CrLdskLDOHYCFXPzC:uSL7PAs7sSGH9QspVPihmF7o71V
Score

8^/10

defense_evasion discovery persistence privilege_escalation
- Modifies Windows Firewall
  defense_evasion
behavioral3 behavioral4
- Target
  
  1dc47906f130f9bcf0c314005fc34842a4c89f93b18acfbc2fcd8ff856ceca32.exe
- Size
  
  1.8MB
- MD5
  
  793d4f49460d39ce07b9b1f4fbae913f
- SHA1
  
  0f673b4d57a55fe5c7ad9f575cb04e31a1fd2ac7
- SHA256
  
  1dc47906f130f9bcf0c314005fc34842a4c89f93b18acfbc2fcd8ff856ceca32
- SHA512
  
  7dc26a5651a95fc2c23174d6049bdb24e456f53fb08654ddf4984ee26d461b3c4186b70e3eb700088e9098a2d1449c77e5023bb872b933ed50cab7ed1e48ab71
- SSDEEP
  
  24576:PD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6J:PF+QrFUBgq25eKu6J
Score

10^/10

remcos host discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
- Size
  
  1.6MB
- MD5
  
  e38a8ba2db5ea28f0f52d37b4a9d0d45
- SHA1
  
  eeb67e1eb72370ce24df9b82c6a7664176dfe064
- SHA256
  
  1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
- SHA512
  
  ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
- SSDEEP
  
  24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral7 behavioral8
- Target
  
  1e02f6a6c634da6b94dfe93259fe6c83.exe
- Size
  
  245KB
- MD5
  
  1e02f6a6c634da6b94dfe93259fe6c83
- SHA1
  
  7d7d9bed30bb40bed267068cd024a1686283102e
- SHA256
  
  d48935909cfe4ce225286aad8bf293884ab5db0c6e7b7051af4b73eaa598f31b
- SHA512
  
  99350f9792b5745253679e8ccf800433962943c604c3dc6291a89aa85329093457a5cc63a31ac84e783f1e9bf975bdd8c395c8823ee2de654840e59ea3f50989
- SSDEEP
  
  6144:hB1k40am5EjLN7DMLgIt1jKL8Kyo02FwLS:hH4gUDjKwKBwLS
Score

7^/10
- Deletes itself
- Executes dropped EXE
behavioral10 behavioral9
- Target
  
  1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
- Size
  
  1.6MB
- MD5
  
  517861702fe0a89aa5e3af35d9f96661
- SHA1
  
  50101d8bff153320694baf54bc7b68e585720d4d
- SHA256
  
  1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
- SHA512
  
  da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral11 behavioral12
- Target
  
  1e320ed242153c25553c2a0c1901ddfa69f0a747cb278608e43043311649b5cb.exe
- Size
  
  1.7MB
- MD5
  
  f33096aa28da8c14b681861c1f89c017
- SHA1
  
  3f98457b66376ef305ac89380b25e45a1677e494
- SHA256
  
  1e320ed242153c25553c2a0c1901ddfa69f0a747cb278608e43043311649b5cb
- SHA512
  
  d4a6b9eaf6f66660316d83b67b35623ba5faefd2ebe457b820b4972d9e472864f18897019582982218852a67067b9bdd96dff3cdb0adb93c3f63d1d5f294fdc8
- SSDEEP
  
  24576:5D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoy:5p7E+QrFUBgq2X
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  1ec4b8acdc518e88f254db69a6886065.exe
- Size
  
  14KB
- MD5
  
  1ec4b8acdc518e88f254db69a6886065
- SHA1
  
  b244f82c6d2d22f7fd15eeae2484f95fe86327c0
- SHA256
  
  84ad35936954f5564e303dfd03b7b90dee8762b0f28fb8824ec5682508acfe8e
- SHA512
  
  b339972de100674122a4c0395e96f94cffea2ab07577ed023ab9a73da5f475b0fad2033d88a4071f3e4fda2b98f9512fb8ff6f1262f87df99a0933274e4879e4
- SSDEEP
  
  384:jnsnp+Zt/1Hp96CyzTmNqWNt3dCLZnsyQVg/WD:jnsnEZlx6dTedh1
Score

1^/10
behavioral15 behavioral16
- Target
  
  1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
- Size
  
  1.6MB
- MD5
  
  7fbc72dcc67b2b7366c90f81051bd68a
- SHA1
  
  bdd22f70686afb5bf32d638eee6fdd0891ec3248
- SHA256
  
  1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
- SHA512
  
  e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
- SSDEEP
  
  24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral17 behavioral18
- Target
  
  1f0343adab1970d928320ce2aa587fd3.exe
- Size
  
  1.6MB
- MD5
  
  1f0343adab1970d928320ce2aa587fd3
- SHA1
  
  e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
- SHA256
  
  9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
- SHA512
  
  c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
- SSDEEP
  
  24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral19 behavioral20
- Target
  
  1f1f2a5e827f18875756710c0bc7c9016d4f1caf2f046c77abf55ec2b1c06eba.exe
- Size
  
  6.6MB
- MD5
  
  de0a7019edee67c4d04bd23a449778a5
- SHA1
  
  d919f8c2dd748a28f1d5db2f2325ade04a30d106
- SHA256
  
  1f1f2a5e827f18875756710c0bc7c9016d4f1caf2f046c77abf55ec2b1c06eba
- SHA512
  
  aadcdf280804d7a5d34ce3df08b5af7309ba43e0e03f3823e6358648e7e608b3e7bc6f8f5c09009dc4988accdfe54c289a32363c22ae3326e42dc12d8fb8d56c
- SSDEEP
  
  196608:dMPUeNo7jvD6fQiDrr6bVFqklb/DwjeKx85xgo8+:deg3vQQWIFRTDrfxZ
Score

10^/10

dcrat discovery infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral21 behavioral22
- Target
  
  1f2f39600815db1ee39333ed0b8df3ac2850e3e5aed5277635655b95cdd06ff5.exe
- Size
  
  108KB
- MD5
  
  5116a3041a749db103222aa33a273466
- SHA1
  
  b995231d04244af56f613e5e1e33cccb92ff4d4e
- SHA256
  
  1f2f39600815db1ee39333ed0b8df3ac2850e3e5aed5277635655b95cdd06ff5
- SHA512
  
  027fc7751bfb8a08f597b1f7c782cbcf48e9ed2343baf88ff8db3e8ddb6d6b9d25869d312c525cb7b69dac295eafed7a9806946f65b06cc131afffa75339dd1d
- SSDEEP
  
  3072:wsxVbOH15pDkIJSj5at2CZEak1qcfkZkPqib1AxD2AXSn3:wsvbwrpDksSj5at2AEak1qcsePqib1si
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral23 behavioral24
- Target
  
  1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
- Size
  
  1.6MB
- MD5
  
  2c4dbe075f37719580a096bf67bf048e
- SHA1
  
  71673f7af94683985e875f3db73cbf1a5509228e
- SHA256
  
  1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
- SHA512
  
  6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral25 behavioral26
- Target
  
  1fb433aec18f49dd4aaed65148cb184e0b7051e23b89fdd7475e4258d013dc59.exe
- Size
  
  281KB
- MD5
  
  14abc67d890548ae22c3b0e023174914
- SHA1
  
  47d2ae785d46125c9a55ee4a73075828a9e6c84c
- SHA256
  
  1fb433aec18f49dd4aaed65148cb184e0b7051e23b89fdd7475e4258d013dc59
- SHA512
  
  1b80df3e751530d8cf193b968ee56abcef2bfa8f22b57e8a530db299d849f3475b7b64415444ee2ef1ef48a08aa4c1882ef108b5dbed007c071c5146ef5f4105
- SSDEEP
  
  6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66faJ:boSeGUA5YZazpXUmZhZ6iJ
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  1fe86f0bbb009253ce910b58986a7e3e.exe
- Size
  
  33KB
- MD5
  
  1fe86f0bbb009253ce910b58986a7e3e
- SHA1
  
  a4d65c837f39c7ab3ccbddad520c85171984d959
- SHA256
  
  7b79046511bb3e926c5c91db54dae79c06bc19f7d7cdfcfe6df9627eb257cac7
- SHA512
  
  24034bd34e5dee4a8452c2ca872847ac5eb655a0e5bd4c822c50553e022defecbc58a3cc50d19a0b7b86785841c0d6b7b04f6b483e030cc47ae4bf3aeea8ae6f
- SSDEEP
  
  768:D+CD9VERUnqNIUoFqimZoVFY9jYOjh4bZ:Dh9VUNITHm0FY9jYOj+9
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
behavioral29 behavioral30
- Target
  
  201b2bf97ddea77b00751cc452d4e9075c96d457f044b15577048454430f0742.exe
- Size
  
  115KB
- MD5
  
  18b9b2bf0f8001547dd3e3645d4bd744
- SHA1
  
  7973dee49840a6586dd94fc3d1503ba07ead70e2
- SHA256
  
  201b2bf97ddea77b00751cc452d4e9075c96d457f044b15577048454430f0742
- SHA512
  
  5ea7d4ac55231b79c0900fb3d262c55626b2c41be8b0a63a9769797cf8d5b368d6014163dc034516dc8841bb70f6144200f67c3709da108a18f03e86589c3c18
- SSDEEP
  
  1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6v:P5eznsjsguGDFqGZ2riv
Score

10^/10

njrat neuf defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral31 behavioral32