njrat | 692a8be00d69e5d0782766f270046aa871fea041e63d125da9e1252b135623f3 | Triage

Submit
Reports

Overview

overview

Static

static

MgBMOjoQWC_hwstub.js

windows7_x64

MgBMOjoQWC_hwstub.js

windows10-2004_x64

Sharing

General

Target

MgBMOjoQWC_hwstub.js
Size

51KB
Sample

220616-pl66qaehbj
MD5

0c7657296a9994e6446ff500bc1b76c3
SHA1

bfdc4584c89faa7f3356549494331ccc8497ab33
SHA256

692a8be00d69e5d0782766f270046aa871fea041e63d125da9e1252b135623f3
SHA512

8549c221d3316d3a57feb5c4bdca51ae504f5479e22b83150a9eca82fb0b5f8ef8b2aa134d2b96c5bef42a170cc7c4dc8099606f71fabcd490732f7b8926213d

Score

10^/10

njrat vjw0rm hacked by mustymoney evasion persistence suricata trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

MgBMOjoQWC_hwstub.js

Resource

win7-20220414-en

njrat vjw0rm hacked by mustymoney evasion persistence suricata trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

MgBMOjoQWC_hwstub.js

Resource

win10v2004-20220414-en

vjw0rm persistence suricata trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MustyMoney

C2

104.168.7.110:5552

Mutex

72f64d4ec723544c65ffca1cd7ba4ee6

Attributes

reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
splitter
|'|'|

Targets

- Target
  
  MgBMOjoQWC_hwstub.js
- Size
  
  51KB
- MD5
  
  0c7657296a9994e6446ff500bc1b76c3
- SHA1
  
  bfdc4584c89faa7f3356549494331ccc8497ab33
- SHA256
  
  692a8be00d69e5d0782766f270046aa871fea041e63d125da9e1252b135623f3
- SHA512
  
  8549c221d3316d3a57feb5c4bdca51ae504f5479e22b83150a9eca82fb0b5f8ef8b2aa134d2b96c5bef42a170cc7c4dc8099606f71fabcd490732f7b8926213d
Score

10^/10

njrat vjw0rm hacked by mustymoney evasion persistence suricata trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratvjw0rmhacked by mustymoneyevasionpersistencesuricatatrojanworm

behavioral2

vjw0rmpersistencesuricatatrojanworm

© 2018-2024

Terms | Privacy