njrat | 9228d8c44cdc5cc4d82ec3fe68379c6c5938bc04702cfc86b9b8c96872b52a68 | Triage

Submit
Reports

Overview

overview

Static

static

9228D8C44C...CF.exe

windows7-x64

9228D8C44C...CF.exe

windows10-2004-x64

Sharing

General

Target

9228D8C44CDC5CC4D82EC3FE68379C6C5938BC04702CF.exe
Size

6.2MB
Sample

221025-1tb64aeadk
MD5

cc95e0f6886ee79017f070ceedbb17e3
SHA1

e628e3331228741760644b0716b6e66f7a37324c
SHA256

9228d8c44cdc5cc4d82ec3fe68379c6c5938bc04702cfc86b9b8c96872b52a68
SHA512

f50b798226c81db56187e59b258d2e857dc28da6cb42a047e0ffb5da2dc4c95f68d3d8788cec8a15635718a345d98f8c2c5e579101cbd88493e2d4805d7f5136
SSDEEP

98304:u5hHwzlKTDbdRGQSxUTZeNEiIK176ykGlnrHL21sHHLrHIatQts6mughHLo:uwzoTDp4QeUpg176KlnrHiGYDdmughH

Score

10^/10

njrat taurus batvoi evasion persistence pyinstaller spyware stealer trojan

Static task

static1

pyinstaller njrat

2 signatures

Behavioral task

behavioral1

Sample

9228D8C44CDC5CC4D82EC3FE68379C6C5938BC04702CF.exe

Resource

win7-20220812-en

njrat taurus batvoi evasion persistence pyinstaller spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

9228D8C44CDC5CC4D82EC3FE68379C6C5938BC04702CF.exe

Resource

win10v2004-20220812-en

njrat taurus batvoi evasion persistence pyinstaller stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

Carbonblack2102

Botnet

batvoi

C2

1368.vnh.wtf:5552

Mutex

0de45b5c6627a3e65a4b2a1e68ec841b

Attributes

reg_key
0de45b5c6627a3e65a4b2a1e68ec841b
splitter
|'|'|

Targets

- Target
  
  9228D8C44CDC5CC4D82EC3FE68379C6C5938BC04702CF.exe
- Size
  
  6.2MB
- MD5
  
  cc95e0f6886ee79017f070ceedbb17e3
- SHA1
  
  e628e3331228741760644b0716b6e66f7a37324c
- SHA256
  
  9228d8c44cdc5cc4d82ec3fe68379c6c5938bc04702cfc86b9b8c96872b52a68
- SHA512
  
  f50b798226c81db56187e59b258d2e857dc28da6cb42a047e0ffb5da2dc4c95f68d3d8788cec8a15635718a345d98f8c2c5e579101cbd88493e2d4805d7f5136
- SSDEEP
  
  98304:u5hHwzlKTDbdRGQSxUTZeNEiIK176ykGlnrHL21sHHLrHIatQts6mughHLo:uwzoTDp4QeUpg176KlnrHiGYDdmughH
Score

10^/10

njrat taurus batvoi evasion persistence pyinstaller spyware stealer trojan
- Taurus Stealer
  Taurus is an infostealer first seen in June 2020.
  trojan stealer taurus
- Taurus Stealer payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

pyinstallernjrat

behavioral1

njrattaurusbatvoievasionpersistencepyinstallerspywarestealertrojan

behavioral2

njrattaurusbatvoievasionpersistencepyinstallerstealertrojan

© 2018-2024

Terms | Privacy