Overview

overview

10

Static

static

0648873dd8...b6.exe

windows7_x64

10

0648873dd8...b6.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0648873dd8d00b2eca5eaa5680f7a5b6.exe

  • Size

    4.9MB

  • Sample

    220706-2ec1hshggp

  • MD5

    0648873dd8d00b2eca5eaa5680f7a5b6

  • SHA1

    fada8b49ca5b898c9e31bc87f2b37a267599d406

  • SHA256

    0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f

  • SHA512

    88fd72593cb94da497bf5ed7b9e4f35cfac74e9e5280d8d9f0708c6867518c4f0444ab0426ba8f94f86ffbcc3263b83cd6ce436d094bd82ec5e5bc8e4a5908d0

Score
10/10
njrathackedevasionpersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

51.89.91.139:5050

Mutex

5db0afc818875fbd9be3e842f2d3f24b

Attributes
  • reg_key

    5db0afc818875fbd9be3e842f2d3f24b

  • splitter

    |'|'|

Targets

    • Target

      0648873dd8d00b2eca5eaa5680f7a5b6.exe

    • Size

      4.9MB

    • MD5

      0648873dd8d00b2eca5eaa5680f7a5b6

    • SHA1

      fada8b49ca5b898c9e31bc87f2b37a267599d406

    • SHA256

      0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f

    • SHA512

      88fd72593cb94da497bf5ed7b9e4f35cfac74e9e5280d8d9f0708c6867518c4f0444ab0426ba8f94f86ffbcc3263b83cd6ce436d094bd82ec5e5bc8e4a5908d0

    Score
    10/10
    njrathackedevasionpersistencesuricatatrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks