General
-
Target
Akrien_Premium.exe
-
Size
8.5MB
-
Sample
210903-xj87asdde3
-
MD5
61a5ddd87d94b506ab77059e6fcb66cd
-
SHA1
e13e3d4b2552361dc25a97c42e3cd8a3a7d02d8b
-
SHA256
baccb02dbbd9e728fd29794571a4aee68f46e3d7486ee32c3a8736f7cf68048a
-
SHA512
d0c247f0c030f0e9ba20d0eaf48f0f51b380f163d5c177aec8e66aa42eec8b4bd76a3190fafe323acb0b3f3175361b2698fa3cad1f8013caaa6c1fdbbb1b0ae1
Malware Config
Extracted
njrat
0.7d
svchost.exe
ZGV6enouZGRucy5uZXQStrik:MTExMw==
46e965f5f5848506688f5b149f1608ad
-
reg_key
46e965f5f5848506688f5b149f1608ad
-
splitter
|'|'|
Targets
-
-
Target
Akrien_Premium.exe
-
Size
8.5MB
-
MD5
61a5ddd87d94b506ab77059e6fcb66cd
-
SHA1
e13e3d4b2552361dc25a97c42e3cd8a3a7d02d8b
-
SHA256
baccb02dbbd9e728fd29794571a4aee68f46e3d7486ee32c3a8736f7cf68048a
-
SHA512
d0c247f0c030f0e9ba20d0eaf48f0f51b380f163d5c177aec8e66aa42eec8b4bd76a3190fafe323acb0b3f3175361b2698fa3cad1f8013caaa6c1fdbbb1b0ae1
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-