Overview

overview

10

Static

static

10

3BD4EE3B20...7E.exe

windows7-x64

10

3BD4EE3B20...7E.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3BD4EE3B206242034B5F90DFCFC1AF11E1C2F46BB6E7E.exe

  • Size

    873KB

  • Sample

    220928-2ss9nahcc6

  • MD5

    d93b0a6e1bc395773039809a097b6a65

  • SHA1

    92c957d07b4b2e69f77e0e0f12ce80fae1c80e5b

  • SHA256

    3bd4ee3b206242034b5f90dfcfc1af11e1c2f46bb6e7e8cee9994311477fc6cd

  • SHA512

    54e7e3c20ae3e61883efa37bf4b6a459ecb51f3096400d05076645af8037797081731060268d0f7ed5ca78b5b0a80fa3415933b08a0f2cf09cbd03781b6220c5

  • SSDEEP

    12288:2h1oFjTirpGk4vs/ZPl0SyFAY35oqb/sxwNp8bQHK:2h1uHiI/s/ZeS6Diy/sxwNp8j

Score
10/10
njrathackedqevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

2.tcp.ngrok.io:14402

Mutex

5cb3161ea3511d9f5e42e30a884c6964

Attributes
  • reg_key

    5cb3161ea3511d9f5e42e30a884c6964

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

q

C2

8.tcp.ngrok.io:13778

Mutex

6654f70ed551969a7183a6a878927468

Attributes
  • reg_key

    6654f70ed551969a7183a6a878927468

  • splitter

    |'|'|

Targets

    • Target

      3BD4EE3B206242034B5F90DFCFC1AF11E1C2F46BB6E7E.exe

    • Size

      873KB

    • MD5

      d93b0a6e1bc395773039809a097b6a65

    • SHA1

      92c957d07b4b2e69f77e0e0f12ce80fae1c80e5b

    • SHA256

      3bd4ee3b206242034b5f90dfcfc1af11e1c2f46bb6e7e8cee9994311477fc6cd

    • SHA512

      54e7e3c20ae3e61883efa37bf4b6a459ecb51f3096400d05076645af8037797081731060268d0f7ed5ca78b5b0a80fa3415933b08a0f2cf09cbd03781b6220c5

    • SSDEEP

      12288:2h1oFjTirpGk4vs/ZPl0SyFAY35oqb/sxwNp8bQHK:2h1uHiI/s/ZeS6Diy/sxwNp8j

    Score
    10/10
    njrathackedqevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks