Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Napolar.A copies itself to <start menu>\Programs\Startup\lsass.exe to make sure it runs every time you start your PC.It hides this file using a rootkit technique so you might not be able to see it. Note that a legitimate file also named lsass.exe exists by default in <system folder>.
The trojan exits immediately if it detects that it is running under a debugger.
Payload
Downloads other malware
Napolar.A runs in explorer.exe and tries to connect to a command and control server to report infection and get instructions. We have seen it connect to the server www.xzy25.comand sunnyamk.com.