Overview

overview

10

Static

static

Woxy 3.0 [...to.dll

windows7_x64

1

Woxy 3.0 [...to.dll

windows10_x64

1

Woxy 3.0 [...le.dll

windows7_x64

1

Woxy 3.0 [...le.dll

windows10_x64

1

Woxy 3.0 [...es.dll

windows7_x64

1

Woxy 3.0 [...es.dll

windows10_x64

1

Woxy 3.0 [...it.dll

windows7_x64

1

Woxy 3.0 [...it.dll

windows10_x64

1

Woxy 3.0 [...it.dll

windows7_x64

1

Woxy 3.0 [...it.dll

windows10_x64

1

Woxy 3.0 [...on.dll

windows7_x64

1

Woxy 3.0 [...on.dll

windows10_x64

1

Woxy 3.0 [...x].exe

windows7_x64

10

Woxy 3.0 [...x].exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    523bad27ca697be3062f3b686fbc340c

  • Size

    11.9MB

  • Sample

    211018-l1tbmaecej

  • MD5

    523bad27ca697be3062f3b686fbc340c

  • SHA1

    c5c543b9d3caac64410ac4809e27edab70578383

  • SHA256

    b2d9069b544272c99bd52e194839a3fe38c721ea5629d52e1c05fdfdba1e1dd5

  • SHA512

    08812018a2c1807cdd14aa238e44665629f97bd7deb7aeb74d1688accb1efe7597c456987ac0fe3abfd79eebc280fe0e01b0556ff04aafbd634f93a158b2e2cb

Score
10/10
njrattaurusbatvoievasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

Carbonblack2102

Botnet

batvoi

C2

1368.vnh.wtf:5552

Mutex

0de45b5c6627a3e65a4b2a1e68ec841b

Attributes
  • reg_key

    0de45b5c6627a3e65a4b2a1e68ec841b

  • splitter

    |'|'|

Targets

    • Target

      Woxy 3.0 [Crack.sx]/BouncyCastle.Crypto.dll

    • Size

      2.4MB

    • MD5

      40396d1498c1ab6354ae47a03a24b21c

    • SHA1

      97cbbcc6888f6b4ddfea49fe558f7cd7ec71298d

    • SHA256

      83ba441c5572bba81381427c18ae36eeb9c8b831e51edd449a54a31838a5577d

    • SHA512

      13c39a95ed84ea646da28332bd10cc58cf02f09a507665f039d3b3f45e5efc590bbeb123ec70cac4856948001d6b7a6ccd57f45e917a9dfaab3e9151640ede89

    Score
    1/10
    behavioral1behavioral2

    • Target

      Woxy 3.0 [Crack.sx]/Colorful.Console.dll

    • Size

      88KB

    • MD5

      0717e2914548b3c78dfd6e91a8d3e1a4

    • SHA1

      9f51e80be3f5dbedb58b399543eb906bea52504e

    • SHA256

      9103509d436d1c77e8a6784f3d6a7af43645e48bf626f2ecb324c586ce504b23

    • SHA512

      e6aa4362bb168cb3711cc5214d370ee2cd05d0b80efc50d1969697bfedec76d7fd898a60dde544511a669c9eed418ef5898908de94cfde5e319cf3e1a3772e5a

    Score
    1/10
    behavioral3behavioral4

    • Target

      Woxy 3.0 [Crack.sx]/ConsoleTables.dll

    • Size

      12KB

    • MD5

      6b5b52221bbfc30dea0b48509e485296

    • SHA1

      eacb77666504811bded7c25cee3e22b34170a311

    • SHA256

      d6c254ce7d8d87cfe293bc045adc66955a363285a1ae0bc4344558bc67821116

    • SHA512

      7d6d76fa9e9652fed10d56a8771505398c25cc5ddd83c7cf389703037bf37f3ef08546c51f42770e9876f8c791dfa97792bd983f6dd68819fcc5eddce11f6bca

    Score
    1/10
    behavioral5behavioral6

    • Target

      Woxy 3.0 [Crack.sx]/MailKit.dll

    • Size

      686KB

    • MD5

      38e5ee317e78f6a1c623d68272993e16

    • SHA1

      7021bef88134f2b3e8423dd9ceb852003345cdb5

    • SHA256

      66dc850d221b41e5b8976d028673c643dd430e06ba89c2ce3b5ae9a37c2c070f

    • SHA512

      339008ae5a9318492bb239eb8981360288f0f00b4059adb7293f0c4242edaf05d9bf2f902405da24ead05516289af9c2b726fd8d2c6fe2694c1b58805296900e

    Score
    1/10
    behavioral7behavioral8

    • Target

      Woxy 3.0 [Crack.sx]/MimeKit.dll

    • Size

      880KB

    • MD5

      4eef3bd07be47625ec71487dd9fc3b10

    • SHA1

      7ad70ea1f75167625f32c45fbbdd9aa3e237de1b

    • SHA256

      9aa3f96fb6e71d609f77cc529efad99de83b65753704ba2b6993ca88f7f7c185

    • SHA512

      d0889678949f563ecd16c47db841dcc5d225cf1feeda98ea7d87d5168f5a01450b45f7b4b91a3cb577a677d75f7dcb3e69b68b7656846d2092b6c2b300df198b

    Score
    1/10
    behavioral9behavioral10

    • Target

      Woxy 3.0 [Crack.sx]/Newtonsoft.Json.dll

    • Size

      659KB

    • MD5

      d827dd8a8c4b2a2cfa23c7f90f3cce95

    • SHA1

      26c78dad612aff904f216f19f49089f84cc77eb8

    • SHA256

      b66749b81e1489fcd8d754b2ad39ebe0db681344e392a3f49dc9235643bdbd06

    • SHA512

      9ce24c4497fe614b78b3f2f985cafb817d52f21d090aa23fd87f1a3478135abe95e0abe3557dd3f12a5b3f4c9a09e8337169988314c12c51b4951317e0569787

    Score
    1/10
    behavioral11behavioral12

    • Target

      Woxy 3.0 [Crack.sx]/Woxy 3.0 [Crack.sx].exe

    • Size

      776KB

    • MD5

      5afd70d54cc4af7f236894d674842493

    • SHA1

      6565657adebd3063ba85886e551e551b0bbd6fdb

    • SHA256

      8b79e79f75578ab62d83e89b6bfaf5404fa868041b880995579f3cd6ae6f995e

    • SHA512

      6fa7daafcd661d873bae7e092fab5c89f8a56978003d31b3b91eabc735e50ecc01b8e90f90fbcec193c0656f134b6ce69c98825cfbaeaa07a536ddc5eea641fa

    Score
    10/10
    njrattaurusbatvoievasionpersistencespywarestealertrojan

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

      trojanstealertaurus

    • Taurus Stealer Payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks