Overview

overview

10

Static

static

10

HEUR-Troja...fc.exe

windows7-x64

10

HEUR-Troja...fc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

  • Size

    663KB

  • Sample

    220922-v92h2afhbl

  • MD5

    e4df57bd77bee2f9c9e3ea85d9140cc7

  • SHA1

    a382fdddc8b9c47d57878c8e3a24bd991400a76b

  • SHA256

    a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

  • SHA512

    81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

  • SSDEEP

    12288:huk4uHbAxQCDsAePggw38ZFjejph6YKg4Mk0V/hDix9WE3QqH3csD4z:hJt7AGMExw38ZFjejph6YKg4MLC33csW

Score
10/10
njrathackedevasionpersistenceransomwarespywarestealertrojanvmprotect

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

198.54.133.72:59249

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

    • Size

      663KB

    • MD5

      e4df57bd77bee2f9c9e3ea85d9140cc7

    • SHA1

      a382fdddc8b9c47d57878c8e3a24bd991400a76b

    • SHA256

      a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

    • SHA512

      81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

    • SSDEEP

      12288:huk4uHbAxQCDsAePggw38ZFjejph6YKg4Mk0V/hDix9WE3QqH3csD4z:hJt7AGMExw38ZFjejph6YKg4MLC33csW

    Score
    10/10
    njrathackedevasionpersistenceransomwarespywarestealertrojanvmprotect

    • Modifies security service

      evasion

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks