Overview

overview

10

Static

static

10

e4cbce3085...02.exe

windows7_x64

10

e4cbce3085...02.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02

  • Size

    37KB

  • Sample

    220520-rqy21sbbel

  • MD5

    93629cc82528b6dc58a8db94912ca786

  • SHA1

    c73a94cf2014605c317b433eb38d4a8f39d70aaf

  • SHA256

    e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02

  • SHA512

    00d0b728e31a0030f9d983f2fe36e46514f449ba96a3c034ff860f4be96e9a8e67bc4bdbff086b79474962509088032509a3e7f3cad06e32dcaaa0d3e19c7650

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

95.138.242.118:6463

Mutex

a719548a4e0a4b21166fca31fea3933b

Attributes
  • reg_key

    a719548a4e0a4b21166fca31fea3933b

  • splitter

    |'|'|

Targets

    • Target

      e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02

    • Size

      37KB

    • MD5

      93629cc82528b6dc58a8db94912ca786

    • SHA1

      c73a94cf2014605c317b433eb38d4a8f39d70aaf

    • SHA256

      e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02

    • SHA512

      00d0b728e31a0030f9d983f2fe36e46514f449ba96a3c034ff860f4be96e9a8e67bc4bdbff086b79474962509088032509a3e7f3cad06e32dcaaa0d3e19c7650

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks