General

  • Target

    17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38

  • Size

    11.1MB

  • Sample

    220222-svnbraadg9

  • MD5

    a35d415ee0aff1e2ec654aae84a16acf

  • SHA1

    cc4aa96dcc764ad63847bd741740a1e76cc1c91f

  • SHA256

    17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38

  • SHA512

    1c757e1b92d0b9f032716c1db16976ac63c75cc489769a3e16bc7bd24971d66d62360b8c51922d6c76138ea7e02b1a0596372a9de267635809acb13cdd98e6db

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zcb79451

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zcb79451

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mw==

FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==

Mutex

429569822ab3f91283cbbbcf37c3e742

Attributes
  • reg_key

    429569822ab3f91283cbbbcf37c3e742

  • splitter

    |'|'|

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Password

Targets

    • Target

      17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38

    • Size

      11.1MB

    • MD5

      a35d415ee0aff1e2ec654aae84a16acf

    • SHA1

      cc4aa96dcc764ad63847bd741740a1e76cc1c91f

    • SHA256

      17b9cfb2d84221fc82895967d989e125e6bd0139ff29184e0c441fba41ba6e38

    • SHA512

      1c757e1b92d0b9f032716c1db16976ac63c75cc489769a3e16bc7bd24971d66d62360b8c51922d6c76138ea7e02b1a0596372a9de267635809acb13cdd98e6db

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks