Overview

overview

10

Static

static

qkZKfZTC9ZEN8z2.exe

windows7_x64

10

qkZKfZTC9ZEN8z2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    qkZKfZTC9ZEN8z2.exe

  • Size

    383KB

  • Sample

    201226-lvsavs9hj6

  • MD5

    170f90d6d9b128a8af103c8003539a54

  • SHA1

    35a2f8791679b7b17fbb2758a4de717bf1314039

  • SHA256

    b34672c7194dc439e09164ea39449d529a1efde6029f18edadb26e399591c68f

  • SHA512

    512a34561fe2528287308738999ec9d58c1690098673af9cde7b429b7e307c21a9dd4c9e642514c7f51cf2971bafc975354f8d147b954292b1a4f12becdbac98

Score
10/10
njrat$$$$$$fuckingevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

$$$$$$Fucking

C2

whmfix009.cf:5409

Mutex

f6a7c83d337d940f548e06019597f0a2

Attributes
  • reg_key

    f6a7c83d337d940f548e06019597f0a2

  • splitter

    |'|'|

Targets

    • Target

      qkZKfZTC9ZEN8z2.exe

    • Size

      383KB

    • MD5

      170f90d6d9b128a8af103c8003539a54

    • SHA1

      35a2f8791679b7b17fbb2758a4de717bf1314039

    • SHA256

      b34672c7194dc439e09164ea39449d529a1efde6029f18edadb26e399591c68f

    • SHA512

      512a34561fe2528287308738999ec9d58c1690098673af9cde7b429b7e307c21a9dd4c9e642514c7f51cf2971bafc975354f8d147b954292b1a4f12becdbac98

    Score
    10/10
    njrat$$$$$$fuckingevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks