Overview

overview

10

Static

static

10

SMART 1.exe

windows7-x64

10

SMART 1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9556460411e4b61c6437429b9d982b5d0a4f20352f3da2bc7d178cb56d948a4a

  • Size

    80KB

  • Sample

    221125-ws12lshb4v

  • MD5

    5de8a81cc3b79200533770394be514d6

  • SHA1

    48541d2249b6cc1dfd5c81876930f2e1e918bb2d

  • SHA256

    9556460411e4b61c6437429b9d982b5d0a4f20352f3da2bc7d178cb56d948a4a

  • SHA512

    a87af0410962ee31f05895dd14cea175223ec39cb112816052bd3e75a3b9e29cb07aae80d9a55c17c81efb2b0070a11b93eeda8cee67e48404529290a8572e91

  • SSDEEP

    1536:YMdPpfqtOe060LLGvvlDws9Vf/Rnz5jqYXbvhRLUUfAQKRM7Xq:YjtT0LavvxfVf5z5jJvhRAU4BMW

Score
10/10
neshtanjrathackedevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

medo979.no-ip.biz:5552

Mutex

f02a0dc65ff97aa43cc56ae47f9df6fc

Attributes
  • reg_key

    f02a0dc65ff97aa43cc56ae47f9df6fc

  • splitter

    |'|'|

Targets

    • Target

      SMART 1.exe

    • Size

      146KB

    • MD5

      816c02655dcded0b037bc142076f41a5

    • SHA1

      43f394fdd26609ae05f8069885ac5633533d46de

    • SHA256

      24c21788676a5218a6a08ff211fe20bb292c9c89d60feaad64740ddb906d351a

    • SHA512

      083951e7887bad9af8acd87dc835a555f7a79e97d2e16ef34e5febabdb30f0cf214adb7b2032faa220bd04dbe1155483442d7f604b8868135d745c38467ef8c5

    • SSDEEP

      3072:sr85C8QOb1sG0+HbGRD5Ds3dKYJgv2MiXtO6Gb86iB:k98QObuG08bGdp0+v21XXqOB

    Score
    10/10
    neshtanjrathackedevasionpersistencespywarestealertrojan

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks