Overview

overview

10

Static

static

enc.hta

windows7-x64

10

enc.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    enc.zip

  • Size

    1KB

  • Sample

    220809-xt2vzagdc7

  • MD5

    d22dd7ccc3a29e2de21c7996543b9396

  • SHA1

    c6846b0cf15d63bf2bb72f929cb0873b6207e9c2

  • SHA256

    ef9b9da0e50039c5155abcb728f093f5818f7dfbc72374a044c76ec4fabe97a0

  • SHA512

    cde7c2b17ca6e979036d5d26d7fb763f0cfe7f02ccf8553e9841b3e2d7f804e98735e6c8daae153450a9149f1f27dc60713a20d46c0970a2c8fd1395e5453243

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Targets

    • Target

      enc.hta

    • Size

      4KB

    • MD5

      a22a14258d33638343e40b4ef674b06d

    • SHA1

      172a63be58e0a1c0d4a4b0a933d74b6af9164ddc

    • SHA256

      5ea0ac297ec8f31acc2fa0c4475d2bcf044b2699e2417a8aa650d1b742ade518

    • SHA512

      eb1c994e51bb36dbbbe54e64d642276e6924d332611c072ef215ff0cd17439187ca15467f1848526a1fd9c279b96c4cd2446e83fd992eb94c58daa965a1eda58

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • Registers COM server for autorun

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks