Overview

overview

10

Static

static

10

Server.exe

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Server.exe

  • Size

    37KB

  • Sample

    220711-m6sgysgebn

  • MD5

    2b2e32819d3271475b9299f2f46c6ac8

  • SHA1

    ae645d1e145d5dd9e3148ccc6df7fba8b2a4c166

  • SHA256

    918fc754614e06d29c6646c123df663b0e568bf9924988651adf011381faa88f

  • SHA512

    42f602d39328d7c86b61ea66abcb37eaf75d205fae02685df2d13f561d58ec670814f7e8d7783b55562f232075f12430e13bf8f98ac92ed371af91f2c850979e

Score
10/10
gozi_rm3njratлошокbankerevasionpersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Лошок

C2

194.71.126.120:17954

Mutex

13d65a76848c880b980676c6c1cc6341

Attributes
  • reg_key

    13d65a76848c880b980676c6c1cc6341

  • splitter

    |'|'|

Targets

    • Target

      Server.exe

    • Size

      37KB

    • MD5

      2b2e32819d3271475b9299f2f46c6ac8

    • SHA1

      ae645d1e145d5dd9e3148ccc6df7fba8b2a4c166

    • SHA256

      918fc754614e06d29c6646c123df663b0e568bf9924988651adf011381faa88f

    • SHA512

      42f602d39328d7c86b61ea66abcb37eaf75d205fae02685df2d13f561d58ec670814f7e8d7783b55562f232075f12430e13bf8f98ac92ed371af91f2c850979e

    Score
    10/10
    gozi_rm3njratлошокbankerevasionpersistencesuricatatrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

      suricata

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks