njrat | 6e42af11459ad4b401ec0a953ccfbad353662da1fee99c07b90050a141cbb4d4

General

Target

2025-05-16_43d04a9df9c0ca6331892a68b9b417a1_black-basta_cobalt-strike_ryuk_satacom
Size

717KB
Sample

250516-hd8k9aar5s
MD5

43d04a9df9c0ca6331892a68b9b417a1
SHA1

c6412605255f4b23a5f84bfacb788f776704224b
SHA256

6e42af11459ad4b401ec0a953ccfbad353662da1fee99c07b90050a141cbb4d4
SHA512

3864be3bc5935728ee46dd677b10764545a8558645e0c2519e31a5ef4badd95de15c53b86d1f5b9b5397cb1d1dc95d5c4cb88489c3a6e456691294937c351250
SSDEEP

12288:wQdkVm4hnVkT2X1ZFCDjZarKfU+SOvLwkhkEvTolrAtKfU+SOvLwkhkEvTolrAT:YnzMjfrSOjbJvMlrAAfrSOjbJvMlrAT

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

13.7

Botnet

1ef8146d724a33824358ccb91558f39c

C2

https://t.me/eom25h

https://steamcommunity.com/profiles/76561199855598339

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/135.0.0.0 Safari/537.36 OPR/120.0.0.0

Extracted

Family

xworm

C2

94.26.90.81:2404

Attributes

Install_directory
%AppData%
install_file
Edge Browser.exe

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

213.209.150.210:7773

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  2025-05-16_43d04a9df9c0ca6331892a68b9b417a1_black-basta_cobalt-strike_ryuk_satacom
- Size
  
  717KB
- MD5
  
  43d04a9df9c0ca6331892a68b9b417a1
- SHA1
  
  c6412605255f4b23a5f84bfacb788f776704224b
- SHA256
  
  6e42af11459ad4b401ec0a953ccfbad353662da1fee99c07b90050a141cbb4d4
- SHA512
  
  3864be3bc5935728ee46dd677b10764545a8558645e0c2519e31a5ef4badd95de15c53b86d1f5b9b5397cb1d1dc95d5c4cb88489c3a6e456691294937c351250
- SSDEEP
  
  12288:wQdkVm4hnVkT2X1ZFCDjZarKfU+SOvLwkhkEvTolrAtKfU+SOvLwkhkEvTolrAT:YnzMjfrSOjbJvMlrAAfrSOjbJvMlrAT
Score

10^/10

njrat vidar xworm 1ef8146d724a33824358ccb91558f39c hacked credential_access cryptone defense_evasion discovery execution packer persistence rat spyware stealer trojan
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Njrat family
  njrat
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1