Overview

overview

10

Static

static

163bb35336...99.exe

windows7-x64

10

163bb35336...99.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

  • Size

    320KB

  • Sample

    221126-yp2vvaea5t

  • MD5

    4e58b28c75b9b08b0e186092957e2bf0

  • SHA1

    9352d6772eab4356c1179a64a7654a8fbccd33e0

  • SHA256

    163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

  • SHA512

    1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

  • SSDEEP

    6144:imIPHg6U7zLHeAecv8mRw+BhYsNz+MAiuKAf8bpArz0zmF:im8HP0nHxx8mm+jYsczHK+8bwz06F

Score
10/10
njrathackpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hack

C2

91.236.116.112:1604

Mutex

16bb9e8a80e81119cd60a1f6a7412350

Attributes
  • reg_key

    16bb9e8a80e81119cd60a1f6a7412350

  • splitter

    |'|'|

Targets

    • Target

      163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

    • Size

      320KB

    • MD5

      4e58b28c75b9b08b0e186092957e2bf0

    • SHA1

      9352d6772eab4356c1179a64a7654a8fbccd33e0

    • SHA256

      163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

    • SHA512

      1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

    • SSDEEP

      6144:imIPHg6U7zLHeAecv8mRw+BhYsNz+MAiuKAf8bpArz0zmF:im8HP0nHxx8mm+jYsczHK+8bwz06F

    Score
    10/10
    njrathackpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks