Overview

overview

10

Static

static

B513104971...4F.exe

windows7_x64

10

B513104971...4F.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe

  • Size

    189KB

  • Sample

    210914-1ggaaabdan

  • MD5

    0e95218e1c1f7d8f18227ce0efc4a3b2

  • SHA1

    e9e8ae35e32e47c33f557d2deddb9e837450576a

  • SHA256

    b513104971c9e0c5b6721a523c9475701a67bb368a74f4b8254049569a8497fe

  • SHA512

    fa29aa2c09ab377c9eced2658474f60d418c363a4c4e318a7ed155688f55d80452f79414d76a31f56ca69b42363037764ada15145c6297c361cb281b631c34eb

Score
10/10
njratbackupevasionpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BackUp

C2

dr-mesho.ddns.net:5552

Mutex

ce4ef724bbf43aa4dc51f763b9cf5592

Attributes
  • reg_key

    ce4ef724bbf43aa4dc51f763b9cf5592

  • splitter

    |'|'|

Targets

    • Target

      B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe

    • Size

      189KB

    • MD5

      0e95218e1c1f7d8f18227ce0efc4a3b2

    • SHA1

      e9e8ae35e32e47c33f557d2deddb9e837450576a

    • SHA256

      b513104971c9e0c5b6721a523c9475701a67bb368a74f4b8254049569a8497fe

    • SHA512

      fa29aa2c09ab377c9eced2658474f60d418c363a4c4e318a7ed155688f55d80452f79414d76a31f56ca69b42363037764ada15145c6297c361cb281b631c34eb

    Score
    10/10
    njratbackupevasionpersistencespywarestealersuricatatrojan

    • Modifies system executable filetype association

      persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

      suricata

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks