Overview

overview

10

Static

static

d3545b4696...a3.exe

windows7_x64

10

d3545b4696...a3.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3545b469629c5f047df0cb6b4b4ed8587e44a173c2fbef42f987042b3f1a0a3

  • Size

    346KB

  • Sample

    220203-slhd5sbadl

  • MD5

    b67cc47347d1ea5450a9779385b98c03

  • SHA1

    43684e3f72f1b3c229d68de3d13735f8a2a6577f

  • SHA256

    d3545b469629c5f047df0cb6b4b4ed8587e44a173c2fbef42f987042b3f1a0a3

  • SHA512

    23fe7d63c13fd71b917039415c8fd15ebe04c4363a816886a1041e0e5f843cc116972de8232fdf140e1dc38237a2457ffdcaa21424e5c8311436b0d69c18fbb8

Score
10/10
njratvjw0rmnyan catpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/858084204901564479/867768611681468457/Main.png

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

grennoj.duckdns.org:8000

Mutex

f171208f74a9

Attributes
  • reg_key

    f171208f74a9

  • splitter

    @!#&^%$

Targets

    • Target

      d3545b469629c5f047df0cb6b4b4ed8587e44a173c2fbef42f987042b3f1a0a3

    • Size

      346KB

    • MD5

      b67cc47347d1ea5450a9779385b98c03

    • SHA1

      43684e3f72f1b3c229d68de3d13735f8a2a6577f

    • SHA256

      d3545b469629c5f047df0cb6b4b4ed8587e44a173c2fbef42f987042b3f1a0a3

    • SHA512

      23fe7d63c13fd71b917039415c8fd15ebe04c4363a816886a1041e0e5f843cc116972de8232fdf140e1dc38237a2457ffdcaa21424e5c8311436b0d69c18fbb8

    Score
    10/10
    njratvjw0rmnyan catspywarestealersuricatatrojanwormpersistence

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks