Overview

overview

10

Static

static

111eb3a585...3d.exe

windows7_x64

10

111eb3a585...3d.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d

  • Size

    1.7MB

  • Sample

    220326-g99yhshce6

  • MD5

    5de44904fb635506bc43de4fe10c1d38

  • SHA1

    b7800af591a87fe99577786b98aa09107e0c4fc8

  • SHA256

    111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d

  • SHA512

    a6462530b591c8222e7cfff9767a412f93ca5d39c56098a5f69724ca606eed70365b904b23939a8dac6aa8bbe398d1aec145d4054af2c4c24d1d757a1e82a73b

Score
10/10
njratzombieevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Zombie

C2

pussy.n-e.kr:5552

Mutex

b62c95af1d1020e4f746a6e36fa2ec48

Attributes
  • reg_key

    b62c95af1d1020e4f746a6e36fa2ec48

  • splitter

    |'|'|

Targets

    • Target

      111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d

    • Size

      1.7MB

    • MD5

      5de44904fb635506bc43de4fe10c1d38

    • SHA1

      b7800af591a87fe99577786b98aa09107e0c4fc8

    • SHA256

      111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d

    • SHA512

      a6462530b591c8222e7cfff9767a412f93ca5d39c56098a5f69724ca606eed70365b904b23939a8dac6aa8bbe398d1aec145d4054af2c4c24d1d757a1e82a73b

    Score
    10/10
    njratzombieevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks