Overview

overview

10

Static

static

Purchase-Order.exe

windows7_x64

10

Purchase-Order.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12062466a79412f3a8ed904cc159078b5f12d609ea9eee34ee62885b61e7bc08

  • Size

    186KB

  • Sample

    220521-pb49dafab8

  • MD5

    286be33f8178c34befd230346bf1cee1

  • SHA1

    2bc8aecc59fe3268bcc6551881497265c3dad53d

  • SHA256

    12062466a79412f3a8ed904cc159078b5f12d609ea9eee34ee62885b61e7bc08

  • SHA512

    4f1e82104f9f76868cfcdf6e002d5f632b8455b337ef4c6316cbba5a432214d177da19a501b91c62509370a599f2f2c2f25f46a995ce25e2aa421f8f7bd0442c

Score
10/10
njratmon$yevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Mon$y

C2

whmfix009.cf:5409

Mutex

67c692a08f8c138aa1c442e78c2761bc

Attributes
  • reg_key

    67c692a08f8c138aa1c442e78c2761bc

  • splitter

    |'|'|

Targets

    • Target

      Purchase-Order.exe

    • Size

      313KB

    • MD5

      98eef34a88d5e5764e73ef2f2fdbbe7c

    • SHA1

      251153d80c187d77e718520067fa103f7ff06c7f

    • SHA256

      84420e6ba6526a6a8ff940b6144497b346e1b0005a9ec7e686025219981d4658

    • SHA512

      628e6c2a859f786300fe98ed8e136a7e49d5650b7c630893534f4f6eb6d62cd4ad44c011783cbdaacbf338245454bd815af1996c2a57976c1fcb057499623be9

    Score
    10/10
    njratmon$ytrojanevasionpersistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks