Overview

overview

10

Static

static

10

01/2015.5.27/01.vir

windows7_x64

3

01/2015.5.27/01.vir

windows10_x64

3

PER-DCOMP-...ao.dll

windows7_x64

1

PER-DCOMP-...ao.dll

windows10_x64

1

01/2015.5.27/03.exe

windows7_x64

8

01/2015.5.27/03.exe

windows10_x64

8

01/2015.5.27/04.exe

windows7_x64

1

01/2015.5.27/04.exe

windows10_x64

1

01/2015.5.27/05.exe

windows7_x64

10

01/2015.5.27/05.exe

windows10_x64

10

01/2015.5.27/07.exe

windows7_x64

7

01/2015.5.27/07.exe

windows10_x64

7

01/2015.5.27/09.exe

windows7_x64

10

01/2015.5.27/09.exe

windows10_x64

10

01/2015.5.27/10.exe

windows7_x64

10

01/2015.5.27/10.exe

windows10_x64

10

01/2015.5.27/12.pdf

windows7_x64

1

01/2015.5.27/12.pdf

windows10_x64

1

01/2015.5.27/13.pdf

windows7_x64

1

01/2015.5.27/13.pdf

windows10_x64

1

01/2015.5.27/14.exe

windows7_x64

8

01/2015.5.27/14.exe

windows10_x64

8

01/2015.5.27/15.dll

windows7_x64

1

01/2015.5.27/15.dll

windows10_x64

1

01/2015.5.27/16.rtf

windows7_x64

10

01/2015.5.27/16.rtf

windows10_x64

1

01/2015.5.27/17.pdf

windows7_x64

1

01/2015.5.27/17.pdf

windows10_x64

1

01/2015.5.27/18.doc

windows7_x64

1

01/2015.5.27/18.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca

  • Size

    3.3MB

  • Sample

    220128-qvbxlsddhj

  • MD5

    be6098d5806e306c115c4ecae0e79049

  • SHA1

    46a5b8c8132a8f619ab7fcd5494091c727d9d0f1

  • SHA256

    9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca

  • SHA512

    6d9bb5390c66c58cba7f63000bc0d26d52fa28121c23f6da5f0bb3a3e16d4b868ef09a917a3a7ffc01c57cac768b73e1874e166b18316952ab5f5d7d99700a9c

Score
10/10
njrathackedevasionlinkmacromacro_on_actionpdfpersistencetrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

supernovaswag.ignorelist.com:5552

sooosoo45.publicvm.com:1111
Mutex

d0f93c61091a2240aa3fd0d7912b4f59

Attributes
  • reg_key

    d0f93c61091a2240aa3fd0d7912b4f59

  • splitter

    |'|'|

Targets

    • Target

      01/2015.5.27/01.vir

    • Size

      1KB

    • MD5

      931257e136ab519589132594ab284e23

    • SHA1

      9d3d78d1a3f7393abed6d30890f7474ecfa8c1d7

    • SHA256

      2113e6037585f1a8d8632900ca49840e22e5fd044855cd7c9f6a8f2382357c06

    • SHA512

      12a6bf72bc87764653cb0ab24d82ded8ef4264c403a567fbafa25f5ff6558bda4ce713a8df9b42ac9209e29057769dc39f8c78323dee6ca386f09776d29448af

    Score
    3/10
    behavioral1behavioral2

    • Target

      PER-DCOMP-Intimacao.cpl

    • Size

      182KB

    • MD5

      98e4f5e65acc6362a0ca510a34d8e295

    • SHA1

      b90e44b0b11eaf0a903fda43eb67b0bceab3fced

    • SHA256

      7bb4b6eebd9747127887e6d21ecd3c29cf8ff23795ce0df58ff5e7679d4ddcf0

    • SHA512

      7e4363a7aa2212de1b349ada2b7973dfef66259980f9e67ec3ee146e780eeb0454c4a214b30ca0fd743414232230cbd302ed5f17ce1ac52f8beba5705201cf04

    Score
    1/10
    behavioral3behavioral4

    • Target

      01/2015.5.27/03.vir

    • Size

      624KB

    • MD5

      0744320b256d9f8ebf7387982f8efd3d

    • SHA1

      e103e00c907ecead188a9b6a589f84ed13add671

    • SHA256

      467f04914a1e6093bdaf5c28884bf95ec738234033b3292d289a0799de196d49

    • SHA512

      c71c13322d0af3303cd400155f9ea4fec27ccb2ebf4f74132b86f98cdebb79e9a8f58ac2208ece478a973d73f80e0e440d3682f41580fe04c2ab9a26dc5dd406

    Score
    8/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      01/2015.5.27/04.vir

    • Size

      1.1MB

    • MD5

      00bdf391b4340de4728899e89167fd79

    • SHA1

      a4127031f16e52038a944db736457d2420344401

    • SHA256

      4c49c340809924ca6e4a87cad9209ad006ae89bdb38d9fa998599c065534ccf4

    • SHA512

      ce16f4e4833e17b02f1ac66600acbdaa655f5490ab4d95708a7430c6ab9f73236813ba138de5ecedea3725f926f9b9bc862581e5fa03b990644b1ee87b0b2b0b

    Score
    1/10
    behavioral7behavioral8

    • Target

      01/2015.5.27/05.vir

    • Size

      23KB

    • MD5

      dd5699246b80540dd884a3d605f7be56

    • SHA1

      537ff7480ecbc643193416ca134357d1bef80b42

    • SHA256

      01db025f5878054f556dbb972e62ca5ec38a44a2ab9291e53b6cb019e89e3b95

    • SHA512

      70f5a2651506da39bba368e2c7e1228727cf47737ed64b80700027765a1dae44268fe85ccf6d8ed19f94341808a2dc4028d38b8ee58d0766095729d89849a431

    Score
    10/10
    njratevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion
    behavioral9behavioral10

    • Target

      01/2015.5.27/07.vir

    • Size

      180KB

    • MD5

      6b0b9ad0c784552500e86aba824c0aaf

    • SHA1

      1f571f395edc5722cb80bfd3e2f39730876a1019

    • SHA256

      233aa10f5c89d48d93c689c7593bba95e29bc570e2819317d4863471ecf2dc02

    • SHA512

      7259a760c5a4b9a24f698ae9239a417a5818b0195c32d06db61acda804817aa1063d499f93e58d3a0a4827d5c32f9982d3c5809a1cb738962cb65f0c0c41b81a

    Score
    7/10

    • Drops startup file

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      01/2015.5.27/09.vir

    • Size

      28KB

    • MD5

      2a87896e592dd168cad17b3ebcee6121

    • SHA1

      af4e6d67ed5bf0434672735aa3946437bbcb1450

    • SHA256

      d6f7c6720ba9fa9641906eee74098fc4bc825ac216d95f738a2fa51cf3c00384

    • SHA512

      2812622744901f2fd8a9150caa8f576e18d56497a3e04c29954d5939d64cb6a297f52b1beac76be28176ec7bd5a5f787874b850ed23305f2ce6a9ed41060c307

    Score
    10/10
    njratevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      01/2015.5.27/10.vir

    • Size

      22KB

    • MD5

      659844803074f32b274708507df3118c

    • SHA1

      104dbcade45c3a01b499bd7ecb73852a5adf6146

    • SHA256

      99c065515cad2265f7f826e355c22f8c677682da498d2ae74b2cb96ee27c5ad9

    • SHA512

      008d57f5846c85e6ef8ad4a35a5a6838c925dacb9c829fb420c1896581490afcfe27edbfe6e69fa7f32d5fe1eeb06d3f2f8f28eb2cda930c4ab32bf184877986

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral15behavioral16

    • Target

      01/2015.5.27/12.vir

    • Size

      188KB

    • MD5

      42c7e182b17036e117f6119582ab9f53

    • SHA1

      494ca78104a76bb0c8acae01668da4fa3d9c7680

    • SHA256

      7a08c9a6765b4ded3c8089b834f524f2c7cc7b5400278eabba16db8f1c1d54e2

    • SHA512

      9766547666d99c9344f422179529144c436b85267026cbb916b48ff63bdf78ca2d51c204f6bd53e4f1c865e2043fc90987ff454245d3648d5f5f4a4a76c30d7e

    Score
    1/10
    behavioral17behavioral18

    • Target

      01/2015.5.27/13.vir

    • Size

      181KB

    • MD5

      662567bf29cc2fb7dcb36ebeddb23da5

    • SHA1

      3b60e5c881af8c9ee2633b5c257f2ac8dd15100a

    • SHA256

      4dea3a8ec40207fca613640e5e2a3c12215f80ecd68ee0496f68217d68af2b57

    • SHA512

      6d1379558131e1839022085ab16119419cee0d7467544074d5ebf6045547300c491b1c14613d25d64c81b400d2298983d28f1db51f709d3b3397a49d3a7660e1

    Score
    1/10
    behavioral19behavioral20

    • Target

      01/2015.5.27/14.vir

    • Size

      821KB

    • MD5

      9ed9cb3fdd2a68a25665681a94879771

    • SHA1

      ad957a4aca28e4ab343cd8151e9e218b39e3f595

    • SHA256

      05a5bad78cdb97a78ca13bf4afa525a5294dbc9e6babb41a0861d48e76d64bcb

    • SHA512

      15941df8d2dfb085e7604c3e94d4346cb59e240700dd06ceabe28d57cd471dc50ccb7448d5b9a3ac6b2642a3a09367d14819214c915ce4c069a476c43b7da223

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    behavioral21behavioral22

    • Target

      01/2015.5.27/15.vir

    • Size

      78KB

    • MD5

      e42f5dbf5678f4a9020798f584f6b008

    • SHA1

      3aee531ae558fb08103735dfc9aeaa81d768212a

    • SHA256

      23ba4ddbe999f329582bff188778d1e27db1e8182899308c77a077f087878a2a

    • SHA512

      196bd228eb1458e2105802424b7c900c2b35b578ee8cfa220d073ca07f8c06f1fdfa4294ce7208ddd1030109f87311e8898f591f8cd5a9ac5b9fec6c05a971d1

    Score
    1/10
    behavioral23behavioral24

    • Target

      01/2015.5.27/16.vir

    • Size

      645KB

    • MD5

      4be96ff0f019a966dcf941121d9c4708

    • SHA1

      b699d9c175ad5e05cfe32fb4bf560af9d2501df5

    • SHA256

      28dc42f7c79bc17885a992211492b5c34cedf62d496dea3e179fcbc553c95a17

    • SHA512

      2218b56c96e51f42a31250ae9cae8b1249b919966d30c615ed9488c63b1164820f86108b10c202362e86ccc5a1046f0ccf5fc89f948e65a827d7d606903af777

    Score
    10/10
    evasionpersistencetrojan

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      01/2015.5.27/17.vir

    • Size

      376KB

    • MD5

      9f142ae708642003cd3ac21eb2b0e991

    • SHA1

      20616c9639785fb317c42353ff4d0bb76f3daf09

    • SHA256

      079f4eefedf1e791c5fc4c4fb0f29cdab4d7b3ee9a56d77f8caac6cfe00f8dac

    • SHA512

      bd5022f7554194c75064032bc6a217ec7e95c9b300fac609c353bed28cf2ad3ce8ef62d2c1e541f459daf8c8394ef471335530f4c1e16e167cb2f0a5501c394a

    Score
    1/10
    behavioral27behavioral28

    • Target

      01/2015.5.27/18.vir

    • Size

      24KB

    • MD5

      ccca0ab4df0f1b9f79ed8a578b3c6c16

    • SHA1

      9ff234cb06a5e67b3f834c712c7b9c381f60f9ac

    • SHA256

      da7e5ec0d5092ca213e7b8abf44e9b9f7aadaa5c8dab2ed08a4315ee28870004

    • SHA512

      28cc99e17567070897e02f22979305a9eaa1b5b03a31f18b4fef0d7f8fa620304f15950d6267804a6bb9e97842576a47ec346d25b0cc1b08020fd6985be45f9a

    Score
    1/10
    behavioral29behavioral30

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Registry Run Keys / Startup Folder

4
T1060

Scheduled Task

2
T1053

Modify Existing Service

3
T1031

Privilege Escalation

Scheduled Task

2
T1053

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

12
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Discovery

System Information Discovery

14
T1082

Query Registry

8
T1012

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

pdflinkhackedmacromacro_on_actionnjrat
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
3/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

persistenceupx
Score
8/10

behavioral6

persistenceupx
Score
8/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

njratevasiontrojan
Score
10/10

behavioral10

njratevasiontrojan
Score
10/10

behavioral11

Score
7/10

behavioral12

Score
7/10

behavioral13

njratevasionpersistencetrojan
Score
10/10

behavioral14

njratevasionpersistencetrojan
Score
10/10

behavioral15

njrathackedevasionpersistencetrojan
Score
10/10

behavioral16

njrathackedevasionpersistencetrojan
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

upx
Score
8/10

behavioral22

upx
Score
8/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

evasionpersistencetrojan
Score
10/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10