Overview

overview

10

Static

static

NEW_PURCHA...R_.exe

windows7_x64

10

NEW_PURCHA...R_.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    010f5f978596f99377d06c9a6e7b982def7c5cbb857e091af1a3f68c27295bc9

  • Size

    178KB

  • Sample

    220521-pc5xasfaf5

  • MD5

    91bbdd26320c48a2d7c61fb132f78c3a

  • SHA1

    a886e410c1910e2823dd032143eb73c8d3e458e4

  • SHA256

    010f5f978596f99377d06c9a6e7b982def7c5cbb857e091af1a3f68c27295bc9

  • SHA512

    a3a865ed5334c810b111fbca1da386590d8d2dedc00f2ade9c892f22845eff1ff2a6c4e59540fe5d37d970c0ac2c60fa2551be9bd3879b908da05e8620d23144

Score
10/10
njratmon$yevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Mon$y

C2

whmfix009.cf:5409

Mutex

67c692a08f8c138aa1c442e78c2761bc

Attributes
  • reg_key

    67c692a08f8c138aa1c442e78c2761bc

  • splitter

    |'|'|

Targets

    • Target

      NEW_PURCHASE_ORDER_.exe

    • Size

      282KB

    • MD5

      94cd3aef83f29bb2dd6d8fe40d751603

    • SHA1

      eb3439a00509d5e8ba99f97323cf2617d97b3106

    • SHA256

      0fa2721f9583ee945d3909290c0ead73dcf4e3cb5739a6f4423f3da6899fd602

    • SHA512

      fc78829979bd284924cc752dafd47a9dd6813e59b76c9620bd18eb3fb179db66aa87584600d38e15d0637ba52f8fbd8618b2de836251ae9d0e5b0d5c61b9c0db

    Score
    10/10
    njratmon$ytrojanevasionpersistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks