Overview

overview

10

Static

static

5eb8e9fdad...2a.exe

windows7-x64

10

5eb8e9fdad...2a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

  • Size

    319KB

  • Sample

    221123-vl4cqahd53

  • MD5

    d974e8a7e94fae3bef8b9a663057ba05

  • SHA1

    02457284d0a0a05fc84e59fe6f34f4ee5f324df8

  • SHA256

    5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

  • SHA512

    a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

  • SSDEEP

    3072:XTn64mgLXEg36vdXheha1G+VedMdGW53aKzfBrKGdrsx7HD:Dn4gIR1XhYa11VedMdGYKGRsZ

Score
10/10
njratﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲evasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲

C2

aaddbbkk.hopto.org:1177

Mutex

85d96ae9b74c6f98a30eae5caffd31d4

Attributes
  • reg_key

    85d96ae9b74c6f98a30eae5caffd31d4

  • splitter

    |'|'|

Targets

    • Target

      5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

    • Size

      319KB

    • MD5

      d974e8a7e94fae3bef8b9a663057ba05

    • SHA1

      02457284d0a0a05fc84e59fe6f34f4ee5f324df8

    • SHA256

      5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

    • SHA512

      a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

    • SSDEEP

      3072:XTn64mgLXEg36vdXheha1G+VedMdGW53aKzfBrKGdrsx7HD:Dn4gIR1XhYa11VedMdGYKGRsZ

    Score
    10/10
    njratﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲trojanevasionpersistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks