Overview

overview

10

Static

static

Invoice Copies.exe

windows7-x64

10

Invoice Copies.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice Copies.img

  • Size

    56KB

  • Sample

    221027-1zdxwadhar

  • MD5

    166bc3f938e635a6784bb83de0f7b896

  • SHA1

    9b3544b74d7305b6f161d532fe247ed86c5f0b9b

  • SHA256

    e6546d3c6c424e49d9b88648f731ad9bd7bddecc885b3f099ac7e33432ebdd52

  • SHA512

    e6a6e01b32b569ee761b058673925bac0a314b85435f0a86f2b65ab7e245245871128636ad6604997ac6801192e8d66cfadb73061d22b71df9f124624d336a8d

  • SSDEEP

    96:5XiSac97tzddXgXV5HvdzLXPB7/++yam6meMhq7B99ALbzNtL7:MSphzddaPdzLXJ72LGmT47JAL9x7

Score
10/10
njratupdatepersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

update

C2

money2022.ddns.net:8080

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      Invoice Copies.exe

    • Size

      6KB

    • MD5

      ee3b8f3f1da88398032df33c0f3bd663

    • SHA1

      b5a606cede787a23ae8f051ccce4fe64cc192f22

    • SHA256

      aa5f137c6505bd37b23a8e087fd73974a029f6b98e4590d550d84a8941390dda

    • SHA512

      3e6587de2eec4108d5bca390499442b7ac34f399e4421b7eac76ac0508492b4ea5ba30059b76f6fc2a424cf9226e17c624468aa58e953647b90dac52c361297c

    • SSDEEP

      96:Hac97tzddXgXV5HvdzLXPB7/++yam6meMhq7B99ALbzNt:HphzddaPdzLXJ72LGmT47JAL9

    Score
    10/10
    njratupdatepersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks