njrat | cc3766508cfe6674d7c5a3008353ad24aa7e50c576a77b31e26985bd7aee5aa0 | Triage

Sharing

General

Target

Kaspersky.exe
Size

93KB
Sample

250329-pk183svkw3
MD5

3060fc299e17c7783df72a4e5f031f39
SHA1

2b1a867cf9dd435670d3c638974b4ad3c4a6ac87
SHA256

cc3766508cfe6674d7c5a3008353ad24aa7e50c576a77b31e26985bd7aee5aa0
SHA512

490a2728a54d021e2834332b8a1cc37475486794a2eef27c974a587ede72e1ca4672e3d0f05c646c954f4f4760c12a13f9cd901b816436ca20690ad14f904aa2
SSDEEP

1536:HV/r7EkrjaFIs7E5OxzJn8njEwzGi1dDjDzgS:HV7jau5OVVLi1drs

Score

10^/10

njrat pupsik defense_evasion discovery persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Pupsik

C2

hakim32.ddns.net:2000

7.tcp.eu.ngrok.io:10780

Mutex

83252676f26e0ab65853f7859226c726

Attributes

reg_key
83252676f26e0ab65853f7859226c726
splitter
|'|'|

Targets

- Target
  
  Kaspersky.exe
- Size
  
  93KB
- MD5
  
  3060fc299e17c7783df72a4e5f031f39
- SHA1
  
  2b1a867cf9dd435670d3c638974b4ad3c4a6ac87
- SHA256
  
  cc3766508cfe6674d7c5a3008353ad24aa7e50c576a77b31e26985bd7aee5aa0
- SHA512
  
  490a2728a54d021e2834332b8a1cc37475486794a2eef27c974a587ede72e1ca4672e3d0f05c646c954f4f4760c12a13f9cd901b816436ca20690ad14f904aa2
- SSDEEP
  
  1536:HV/r7EkrjaFIs7E5OxzJn8njEwzGi1dDjDzgS:HV7jau5OVVLi1drs
Score

8^/10

defense_evasion discovery persistence privilege_escalation
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoverypersistenceprivilege_escalation

behavioral2

defense_evasiondiscoverypersistenceprivilege_escalation