Overview

overview

10

Static

static

ff980ba1ad...6e.exe

windows7-x64

10

ff980ba1ad...6e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e

  • Size

    1.5MB

  • Sample

    221126-kkqecsaa8x

  • MD5

    62acb695a8baccb136d49911f38a58ea

  • SHA1

    cf0977abb66708f5aef2a4606d065448d39bbfc0

  • SHA256

    ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e

  • SHA512

    daeed0028080beb28bd944facb6b970b11d27f43a5f7e2a4f80ac09c916156cf1e96c18d63966b22a40315f6fde9e8a171adfd96b6ee185f20f0aaad5c793190

  • SSDEEP

    24576:8egV2LlUOwU1OmvLx/mMBT9RHnw1bMtIWz0DvxYIEFV4O3ZH6gTqp:8MTt1OmvLx/mMBT9RHnw1bMtIWz0DvxL

Score
10/10
njrathacked_bymeevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed_ByMe

C2

topo2015.no-ip.biz:1177

Mutex

08f4dc96bbb7af09d1a37fe35c75a42f

Attributes
  • reg_key

    08f4dc96bbb7af09d1a37fe35c75a42f

  • splitter

    |'|'|

Targets

    • Target

      ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e

    • Size

      1.5MB

    • MD5

      62acb695a8baccb136d49911f38a58ea

    • SHA1

      cf0977abb66708f5aef2a4606d065448d39bbfc0

    • SHA256

      ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e

    • SHA512

      daeed0028080beb28bd944facb6b970b11d27f43a5f7e2a4f80ac09c916156cf1e96c18d63966b22a40315f6fde9e8a171adfd96b6ee185f20f0aaad5c793190

    • SSDEEP

      24576:8egV2LlUOwU1OmvLx/mMBT9RHnw1bMtIWz0DvxYIEFV4O3ZH6gTqp:8MTt1OmvLx/mMBT9RHnw1bMtIWz0DvxL

    Score
    10/10
    njrathacked_bymeevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks