Overview

overview

10

Static

static

c2d029be62...87.exe

windows7-x64

10

c2d029be62...87.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

  • Size

    158KB

  • Sample

    221128-pllvsacg34

  • MD5

    f8fb5200c192966250611f9ddbda3d50

  • SHA1

    0c1566727d34c9403073bbb24b89bd04155864ff

  • SHA256

    c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

  • SHA512

    db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

  • SSDEEP

    3072:X7sYnxbYIVwsOmVZNFPYuoE2Ol/uyQT2v+6:XgYxbYtu7PYPE2Ol

Score
10/10
njratclientsevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Clients

C2

nyheu3938.no-ip.biz:1199

Mutex

749e61bd02cc756ea373bd81808cdf08

Attributes
  • reg_key

    749e61bd02cc756ea373bd81808cdf08

  • splitter

    |'|'|

Targets

    • Target

      c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

    • Size

      158KB

    • MD5

      f8fb5200c192966250611f9ddbda3d50

    • SHA1

      0c1566727d34c9403073bbb24b89bd04155864ff

    • SHA256

      c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

    • SHA512

      db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

    • SSDEEP

      3072:X7sYnxbYIVwsOmVZNFPYuoE2Ol/uyQT2v+6:XgYxbYtu7PYPE2Ol

    Score
    10/10
    njratclientsevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks