njrat | c2cb1ef98ec7e18aa02c03a44cb11874a2814785cf98822eb9bc5064538e0b79

General

Target

IObit Uninstaller Pro v11.1.0.18 + Fix\Setup\iobituninstaller.exe
Size

25.8MB
Sample

211215-grwyyahgfp
MD5

5676e4b96b6cea6eb9a9f0c9aedf0cd8
SHA1

174ef0e3bd3543d0521f7efbfe11e2baf8ceaef0
SHA256

c2cb1ef98ec7e18aa02c03a44cb11874a2814785cf98822eb9bc5064538e0b79
SHA512

05068a1eda3a194d1ebc1000dc58079222941c002f5070a61a7650d0fb13b9aa6b7aff09a4e131f54faf0eb0e98587db1638ec9719b667d612d3077bcb9b9ac8

Score

10^/10

Malware Config

Targets

- Target
  
  IObit Uninstaller Pro v11.1.0.18 + Fix\Setup\iobituninstaller.exe
- Size
  
  25.8MB
- MD5
  
  5676e4b96b6cea6eb9a9f0c9aedf0cd8
- SHA1
  
  174ef0e3bd3543d0521f7efbfe11e2baf8ceaef0
- SHA256
  
  c2cb1ef98ec7e18aa02c03a44cb11874a2814785cf98822eb9bc5064538e0b79
- SHA512
  
  05068a1eda3a194d1ebc1000dc58079222941c002f5070a61a7650d0fb13b9aa6b7aff09a4e131f54faf0eb0e98587db1638ec9719b667d612d3077bcb9b9ac8
Score

10^/10

discovery njrat quasar spyware suricata trojan upx
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Quasar Payload

Quasar RAT

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2