General

  • Target

    0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0

  • Size

    2.8MB

  • Sample

    210616-t4m33rsm7a

  • MD5

    1aed5d95ffc86126b79a9fe69f3f8af4

  • SHA1

    de35454b27c455326a5b4974830d32f70058a839

  • SHA256

    0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0

  • SHA512

    33274d75ae2b56cd403fddf5007a2df2d29f0dd93e043b43bcd292ca370c0b05544dc1c8033279c769fa48fcc8631261cfc5da6f3bc9250dc6b1eea7ddfc2522

Malware Config

Extracted

Family

njrat

Version

Carbonblack2102

Botnet

batvoi

C2

1368.vnh.wtf:5552

Mutex

0de45b5c6627a3e65a4b2a1e68ec841b

Attributes
  • reg_key

    0de45b5c6627a3e65a4b2a1e68ec841b

  • splitter

    |'|'|

Targets

    • Target

      0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0

    • Size

      2.8MB

    • MD5

      1aed5d95ffc86126b79a9fe69f3f8af4

    • SHA1

      de35454b27c455326a5b4974830d32f70058a839

    • SHA256

      0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0

    • SHA512

      33274d75ae2b56cd403fddf5007a2df2d29f0dd93e043b43bcd292ca370c0b05544dc1c8033279c769fa48fcc8631261cfc5da6f3bc9250dc6b1eea7ddfc2522

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks