Overview

overview

10

Static

static

f2efdb9112...5e.exe

windows7_x64

10

f2efdb9112...5e.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

  • Size

    1.1MB

  • Sample

    220625-b7pa5sbgh4

  • MD5

    6d2b7843f0e9168704d4c71108cfdc50

  • SHA1

    3fb8ed1bc9eb790af15c1f18486ac5461a44ed71

  • SHA256

    f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

  • SHA512

    56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0

Score
10/10
njratcoderevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

coder

C2

81.61.77.92:5553

Mutex

890f73d3282170b26075ca7917951b6e

Attributes
  • reg_key

    890f73d3282170b26075ca7917951b6e

  • splitter

    |'|'|

Targets

    • Target

      f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

    • Size

      1.1MB

    • MD5

      6d2b7843f0e9168704d4c71108cfdc50

    • SHA1

      3fb8ed1bc9eb790af15c1f18486ac5461a44ed71

    • SHA256

      f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

    • SHA512

      56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0

    Score
    10/10
    njratcoderevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks