Overview

overview

10

Static

static

809b746c32...c5.exe

windows7-x64

10

809b746c32...c5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    809b746c32451069d87c1d859ea60144708a96674fc69b471ea132b16172e0c5

  • Size

    3.2MB

  • Sample

    221125-lp951agf52

  • MD5

    eb7519e15e13afb38b3fea8c2478b9d7

  • SHA1

    df585b37ef1a93770ef2c3a28cbd00f759053497

  • SHA256

    809b746c32451069d87c1d859ea60144708a96674fc69b471ea132b16172e0c5

  • SHA512

    386da681b7405e782f94da1206c3870d82e27a8a2d63e0ee5aef8140fb1110e6d7a811a68695f97bc53411c563e7c3ae9731b84450c6a5a30e8305c5ed0f377a

  • SSDEEP

    98304:Kq1wzyH5CJmGoukfSdjGVK0EaKftVjpX/Fa:KqH07quGVGaKfRI

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

10.0.2.15:7777

Mutex

66a423b5aff803461ae114b10bbacca0

Attributes
  • reg_key

    66a423b5aff803461ae114b10bbacca0

  • splitter

    |'|'|

Targets

    • Target

      809b746c32451069d87c1d859ea60144708a96674fc69b471ea132b16172e0c5

    • Size

      3.2MB

    • MD5

      eb7519e15e13afb38b3fea8c2478b9d7

    • SHA1

      df585b37ef1a93770ef2c3a28cbd00f759053497

    • SHA256

      809b746c32451069d87c1d859ea60144708a96674fc69b471ea132b16172e0c5

    • SHA512

      386da681b7405e782f94da1206c3870d82e27a8a2d63e0ee5aef8140fb1110e6d7a811a68695f97bc53411c563e7c3ae9731b84450c6a5a30e8305c5ed0f377a

    • SSDEEP

      98304:Kq1wzyH5CJmGoukfSdjGVK0EaKftVjpX/Fa:KqH07quGVGaKfRI

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks