Overview

overview

10

Static

static

fd08b4818c...7d.exe

windows7_x64

10

fd08b4818c...7d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fd08b4818cca94554574c5e7a3c5a57d

  • Size

    769KB

  • Sample

    211216-cwv5zsbba4

  • MD5

    fd08b4818cca94554574c5e7a3c5a57d

  • SHA1

    64c66820b0caa0bfda38230c269679bd7dbe66ef

  • SHA256

    23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60

  • SHA512

    13591b28b3091386021a8337c058ec84bdce3eb1d59f5b87b2ea043a95d6bc0e8b0440956dbcbb4a67a204283449ce3e76bd7bc24c105306b8bc3ff992175a0c

Score
10/10
njrathagilenetpersistencetrojan

Malware Config

Extracted

Family

njrat

Botnet

H

C2

dreem.linkpc.net:7500

Attributes
  • splitter

    !'!@!'!

Targets

    • Target

      fd08b4818cca94554574c5e7a3c5a57d

    • Size

      769KB

    • MD5

      fd08b4818cca94554574c5e7a3c5a57d

    • SHA1

      64c66820b0caa0bfda38230c269679bd7dbe66ef

    • SHA256

      23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60

    • SHA512

      13591b28b3091386021a8337c058ec84bdce3eb1d59f5b87b2ea043a95d6bc0e8b0440956dbcbb4a67a204283449ce3e76bd7bc24c105306b8bc3ff992175a0c

    Score
    10/10
    njrathagilenetpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks