Overview

overview

10

Static

static

7030965b5c...8c.exe

windows7-x64

10

7030965b5c...8c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c

  • Size

    212KB

  • Sample

    221124-eyjk3sca5s

  • MD5

    db55fb022d74a642daa9169663d736ae

  • SHA1

    31d51d14c6c0707728ff948704522ef81cbd62e2

  • SHA256

    7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c

  • SHA512

    1d0d23758010b21ae34f2357d58761c2a8e6f99a3245ac20eaeec84b8be0af7686f8ac258f9a2ecfe09e1d87dabb8429e8cda41faf90988f3c8927f7ef060cb2

  • SSDEEP

    3072:quhMi/KTBwAbez+mzPG81Z8cfkvv2aSWQUnKaOAZ3VqDcQUnnnnjnnnnnnT63:DSiSTB10+mDnfSDSzUncg4

Score
10/10
njratsvchotevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

svchot

C2

salouh-20.no-ip.org:1177

Mutex

6e1ce27bcc6ff5920e6f5b65cc3a57bd

Attributes
  • reg_key

    6e1ce27bcc6ff5920e6f5b65cc3a57bd

  • splitter

    |'|'|

Targets

    • Target

      7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c

    • Size

      212KB

    • MD5

      db55fb022d74a642daa9169663d736ae

    • SHA1

      31d51d14c6c0707728ff948704522ef81cbd62e2

    • SHA256

      7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c

    • SHA512

      1d0d23758010b21ae34f2357d58761c2a8e6f99a3245ac20eaeec84b8be0af7686f8ac258f9a2ecfe09e1d87dabb8429e8cda41faf90988f3c8927f7ef060cb2

    • SSDEEP

      3072:quhMi/KTBwAbez+mzPG81Z8cfkvv2aSWQUnKaOAZ3VqDcQUnnnnjnnnnnnT63:DSiSTB10+mDnfSDSzUncg4

    Score
    10/10
    njratsvchotevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks