Overview

overview

10

Static

static

10

hello.exe

windows7_x64

10

hello.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hello_123.rar

  • Size

    16KB

  • Sample

    220616-2qgg3shebj

  • MD5

    db3210b3ed9c67de2b54d130f04eb92e

  • SHA1

    d0ac4da641472fc99f0393f9bfc89fef79d438f8

  • SHA256

    574cd5c5cc1c280c53dabc2501198c7257f344c4617f81f0bb632c52b770b1f8

  • SHA512

    1e8f1c1a1462ece4991a5bdb1d46f39d4407708196a8e639a6dfa73552c8f0d8701c150e893e9e083a01c9ec46dcf30df5e75c285c4b4a3944d3a375b1371987

Score
10/10
njratgaynextevasionpersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

gay

C2

5.tcp.eu.ngrok.io:12059

Mutex

17a12256c22089ecda68e950006be021

Attributes
  • reg_key

    17a12256c22089ecda68e950006be021

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

NEXT

C2

109.197.196.135:9991

Mutex

413491cbe232876548b9b7cd8a1b451d

Attributes
  • reg_key

    413491cbe232876548b9b7cd8a1b451d

  • splitter

    |'|'|

Targets

    • Target

      hello.exe

    • Size

      37KB

    • MD5

      f6578c4f484063121bb63109b543fb95

    • SHA1

      baae4772f958a85f2420a7c112f3b0ee02f962ce

    • SHA256

      c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e

    • SHA512

      882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c

    Score
    10/10
    njratnextevasionpersistencesuricatatrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

      suricata

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks