Overview

overview

10

Static

static

10

HEUR-Troja...32.exe

windows7-x64

10

HEUR-Troja...32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe

  • Size

    93KB

  • Sample

    220925-vdzdssgffp

  • MD5

    22862e6f7d03b5c16fefebb80e5070c2

  • SHA1

    1a3d11049829774b165287d715b55063aa0cdc7e

  • SHA256

    21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

  • SHA512

    02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

  • SSDEEP

    768:bY3/2/nkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3JsGdpVgM:S2fkVbPGHz88Eb71pjEwzGi1dD5DVgS

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

cWl3YXBpdm8uZGRucy5uZXQStrik:MTE3Nw==

Mutex

dd294006da6e1298c186045132ffa2f6

Attributes
  • reg_key

    dd294006da6e1298c186045132ffa2f6

  • splitter

    |'|'|

Targets

    • Target

      HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe

    • Size

      93KB

    • MD5

      22862e6f7d03b5c16fefebb80e5070c2

    • SHA1

      1a3d11049829774b165287d715b55063aa0cdc7e

    • SHA256

      21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

    • SHA512

      02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

    • SSDEEP

      768:bY3/2/nkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3JsGdpVgM:S2fkVbPGHz88Eb71pjEwzGi1dD5DVgS

    Score
    10/10
    njrathackedevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks