njrat | 715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a

General

Target

607abbe37ff13a59b3ffa987d3a273dc.exe
Size

945KB
Sample

250624-gckx5ax1g1
MD5

607abbe37ff13a59b3ffa987d3a273dc
SHA1

01aef15fc2992ba4769f60c8326057286ec637d7
SHA256

715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a
SHA512

7609f667281ef5b1a23a63ddb2c4f997e351f552057ecf9cd100b6453b467d57d31435cddb7519cbe0d0484e9e6c4b5af68db6c9d19aa855ebf6c18be71ee0e0
SSDEEP

24576:aMcm3JE3VPxEw/5D2F7LD6RMsatx448Icsatx448I:98VPiwhDRMsatx44Vcsatx44V

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

14.3

Botnet

f75200b07dd43d1c5af8a9dbd1186356

C2

https://t.me/l07tp

https://steamcommunity.com/profiles/76561199869630181

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0

Extracted

Family

xworm

C2

66.63.187.164:8594

Attributes

Install_directory
%AppData%
install_file
Firefox.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Google Chrome

C2

66.63.187.164:8596

Mutex

2c4580c8-66ed-44c1-9d8b-da599f0a454b

Attributes

encryption_key
A978BA54BE34046C0D3E3D447504B0C1FBA599C7
install_name
Client.exe
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
log_directory
Logs
reconnect_delay
5000
startup_key
Edge Browser
subdirectory
Chrome Google

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

66.63.187.164:8595

Mutex

svchost

Attributes

reg_key
svchost
splitter
|Hassan|

Targets

- Target
  
  607abbe37ff13a59b3ffa987d3a273dc.exe
- Size
  
  945KB
- MD5
  
  607abbe37ff13a59b3ffa987d3a273dc
- SHA1
  
  01aef15fc2992ba4769f60c8326057286ec637d7
- SHA256
  
  715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a
- SHA512
  
  7609f667281ef5b1a23a63ddb2c4f997e351f552057ecf9cd100b6453b467d57d31435cddb7519cbe0d0484e9e6c4b5af68db6c9d19aa855ebf6c18be71ee0e0
- SSDEEP
  
  24576:aMcm3JE3VPxEw/5D2F7LD6RMsatx448Icsatx448I:98VPiwhDRMsatx44Vcsatx44V
Score

10^/10

njrat quasar vidar xworm f75200b07dd43d1c5af8a9dbd1186356 google chrome hacked credential_access cryptone defense_evasion discovery packer persistence rat spyware stealer trojan
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2