njrat | 3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad | Triage

Submit
Reports

Overview

overview

Static

static

3fe6e95aaf...ad.exe

windows7_x64

3fe6e95aaf...ad.exe

windows10-2004_x64

Sharing

General

Target

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad
Size

8.7MB
Sample

220215-tm21lsgha2
MD5

e96b49168d8039c227de5c72bf41810b
SHA1

14944a4510d56864835eda74366dd93543de7e52
SHA256

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad
SHA512

0c98e82b1e454d85edd505cdae47fbdcb19651bd9bc573722ecf69f6e10a606677d2d865b590a29a542e23cf554523392aeb8bd1c26bf3153368531a36d6a2c7

Score

10^/10

njrat hack gta v evasion persistence themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe

Resource

win7-en-20211208

njrat hack gta v evasion persistence themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe

Resource

win10v2004-en-20220113

njrat hack gta v evasion themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACK GTA V

C2

snowgato.duckdns.org:1177

Mutex

1eb07ee8c21d622a801f6a0fb9cad455

Attributes

reg_key
1eb07ee8c21d622a801f6a0fb9cad455
splitter
|'|'|

Targets

- Target
  
  3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad
- Size
  
  8.7MB
- MD5
  
  e96b49168d8039c227de5c72bf41810b
- SHA1
  
  14944a4510d56864835eda74366dd93543de7e52
- SHA256
  
  3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad
- SHA512
  
  0c98e82b1e454d85edd505cdae47fbdcb19651bd9bc573722ecf69f6e10a606677d2d865b590a29a542e23cf554523392aeb8bd1c26bf3153368531a36d6a2c7
Score

10^/10

njrat hack gta v evasion persistence themida trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathack gta vevasionpersistencethemidatrojan

behavioral2

njrathack gta vevasionthemidatrojan

© 2018-2024

Terms | Privacy