751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982

General
Target

751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982

Size

1MB

Sample

210914-jp7zjaacdl

Score
10 /10
MD5

82cb908a68275e3bc35158b546323631

SHA1

4ffe5f66cfc667df8a3acce200199b2a5419a281

SHA256

751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982

SHA512

ada9b9053e0cf8ea3d2f5a581366792c2c90a2009c53319f0bb435b915d586beab4d4ae46ed6b51284dc0973cf69418a1c2ab2c2b90cab86afc8e35989dc4729

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet Hacked
C2

gtawins.ddns.net:1177

Attributes
reg_key
3ce17b94d100323a220dbf54788571e1
splitter
|'|'|

Extracted

Family nanocore
Version 1.2.2.0
C2

gtawins.ddns.net:2001

Attributes
activate_away_mode
true
backup_connection_host
gtawins.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-03-24T23:10:56.497932536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2001
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
91e727ee-d078-4218-882c-3f74b732d29c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gtawins.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
5000
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Targets
Target

751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982

MD5

82cb908a68275e3bc35158b546323631

Filesize

1MB

Score
10 /10
SHA1

4ffe5f66cfc667df8a3acce200199b2a5419a281

SHA256

751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982

SHA512

ada9b9053e0cf8ea3d2f5a581366792c2c90a2009c53319f0bb435b915d586beab4d4ae46ed6b51284dc0973cf69418a1c2ab2c2b90cab86afc8e35989dc4729

Tags

Signatures

  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    Tags

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    10/10

                    behavioral1

                    1/10