njrat | f6eefa2b51e3cac7c28e1f1daee27e58da32f1d185444ca091ab74054f7324d9

General

Target

EaseUS Partition Master v15.5 (All Editions) + Fix\Setup\epm_setup.exe
Size

45.4MB
Sample

211221-qknhnaedbp
MD5

362b463dbc385956a53038ce51a216d7
SHA1

7c675879edbdad5abaf98c43867dbb734d2eab31
SHA256

f6eefa2b51e3cac7c28e1f1daee27e58da32f1d185444ca091ab74054f7324d9
SHA512

1a6e436bf1da58ed66b69e0aadb03eab0a84424e14a057e5eb3d2efb210a26347c8f93c2d6c96e204a99ce3a316d564bfb9a0a6c725f19240e89beefa447cd44

Score

10^/10

Malware Config

Targets

- Target
  
  EaseUS Partition Master v15.5 (All Editions) + Fix\Setup\epm_setup.exe
- Size
  
  45.4MB
- MD5
  
  362b463dbc385956a53038ce51a216d7
- SHA1
  
  7c675879edbdad5abaf98c43867dbb734d2eab31
- SHA256
  
  f6eefa2b51e3cac7c28e1f1daee27e58da32f1d185444ca091ab74054f7324d9
- SHA512
  
  1a6e436bf1da58ed66b69e0aadb03eab0a84424e14a057e5eb3d2efb210a26347c8f93c2d6c96e204a99ce3a316d564bfb9a0a6c725f19240e89beefa447cd44
Score

10^/10

discovery njrat quasar spyware suricata trojan upx
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Quasar Payload

Quasar RAT

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2