General

  • Target

    Akrien_Premium.exe

  • Size

    8.5MB

  • Sample

    210903-xj87asdde3

  • MD5

    61a5ddd87d94b506ab77059e6fcb66cd

  • SHA1

    e13e3d4b2552361dc25a97c42e3cd8a3a7d02d8b

  • SHA256

    baccb02dbbd9e728fd29794571a4aee68f46e3d7486ee32c3a8736f7cf68048a

  • SHA512

    d0c247f0c030f0e9ba20d0eaf48f0f51b380f163d5c177aec8e66aa42eec8b4bd76a3190fafe323acb0b3f3175361b2698fa3cad1f8013caaa6c1fdbbb1b0ae1

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

svchost.exe

C2

ZGV6enouZGRucy5uZXQStrik:MTExMw==

Mutex

46e965f5f5848506688f5b149f1608ad

Attributes
  • reg_key

    46e965f5f5848506688f5b149f1608ad

  • splitter

    |'|'|

Targets

    • Target

      Akrien_Premium.exe

    • Size

      8.5MB

    • MD5

      61a5ddd87d94b506ab77059e6fcb66cd

    • SHA1

      e13e3d4b2552361dc25a97c42e3cd8a3a7d02d8b

    • SHA256

      baccb02dbbd9e728fd29794571a4aee68f46e3d7486ee32c3a8736f7cf68048a

    • SHA512

      d0c247f0c030f0e9ba20d0eaf48f0f51b380f163d5c177aec8e66aa42eec8b4bd76a3190fafe323acb0b3f3175361b2698fa3cad1f8013caaa6c1fdbbb1b0ae1

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Modify Existing Service

1
T1031

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

2
T1005

Tasks