njRAT trojan horse | Joachim De Zutter
February 2019
File size: 249856
MD5: 53d4f0340d9bf96140547139bc327b86
SHA1: 74856e44aa43527c289d0ff3bf156837a63770dc
SHA256: 8da51ddd596187cc869bf1e7900c5c43fe90f49b4ecb4358223969a2a807c9e0
*.SCR executable had a file name using the RTLO technique for spoofing a fake file extension as well as a tempting icon to social engineer the victim into executing it.
Was sent by IRC DCC file transfer from 156.218.197.47 on TCP port 1024.
Two objects were found inside the resources of the .NET executable: a JPEG file and an executable written in Visual Basic .NET.
Dropped and executed C:\Users\ [...] \AppData\LocalopCwvEtTEY.exe
Dropped and opened JPEG image C:\Users\ [...] \AppData\LocalKIDNsjtBhZ.jpg
File size: 24064
MD5: 3840cd1fca2a3efcefd30230fed899f6
SHA1: 972554f69273af71a3e9146a7e18c9684e125cb9
SHA256: bd78ff1ed264408d7be31cb1e4130273f8da8b06e80302428f3b0df456728291
LocalopCwvEtTEY.exe copied itself to %APPDATA%\svchost.exe
Executed %APPDATA%\svchost.exe
%APPDATA%\svchost.exe executed "netsh firewall add allowedprogram "C:\Users\ [...] \AppData\Roaming\svchost.exe" "svchost.exe" ENABLE"
Installed an autorun key in the registry under HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Run named e465f3fd6b569cf68e5ad2c5c1318b95
Tried to establish a TCP connection with the C2 server on port 1177 of emy100.hopto.org which resolved to 156.218.197.47, 200.2.166.122 and 156.219.39.15.