Overview

overview

10

Static

static

IMVU.hack....17.vbs

windows7_x64

10

IMVU.hack....17.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    418655281c560221783f5b6f418c6d3d5596080db1d257e570c14f230cbe48b2

  • Size

    81KB

  • Sample

    220128-1c777seeb4

  • MD5

    e547929bed9e7ef96e0263d3995c2587

  • SHA1

    3bafa8a27e7309c1cf4b53a30d14b27aa9eb943e

  • SHA256

    418655281c560221783f5b6f418c6d3d5596080db1d257e570c14f230cbe48b2

  • SHA512

    8168245826f9d6fbeb8113fccf0d68581d4aa27eeeae5964634231aece48bb046f5137d9d20921866489fc6efe8dd3fb2e68ff45451df8297f018c9a6b55c4b8

Score
10/10
njrat|steam|evasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

|STEAM|

C2

1.libya-10.com.ly:1414

Mutex

6056bc0bdb8084ba8384f6229ad1d093

Attributes
  • reg_key

    6056bc0bdb8084ba8384f6229ad1d093

  • splitter

    TOP

Targets

    • Target

      IMVU.hack.credits.2017.vbs

    • Size

      467KB

    • MD5

      a3654f8e3e76b5593f8a458f2ebd9822

    • SHA1

      29637e7c7355c0cd027f79c39f134112dc16dfd9

    • SHA256

      6e8fb5bd72f4995c7d33feba7b233869cd5e5e345b3d0a031329fee385c36b8a

    • SHA512

      6f7a664074dca0ae0ffad3c87997948114c5d9eb460b1af3243037f95212206b8dd73422c24c7e97a2c70ed9bb170dff27b473cb68a5007563576e0132151d89

    Score
    10/10
    njrat|steam|evasionpersistencetrojan

    • Registers COM server for autorun

      persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks