Overview

overview

10

Static

static

10

0242b77912...1c.exe

windows7-x64

10

0242b77912...1c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0242b77912d11030997cbf549f41a61c.exe

  • Size

    37KB

  • Sample

    221201-ld7whahg4w

  • MD5

    0242b77912d11030997cbf549f41a61c

  • SHA1

    d0fabf4bf6adff8f2ae3f827bf0a815fe00513cf

  • SHA256

    d143d732effee86f0bc7a3862cfbc20b3ff1f0759aa997b7a8a3e5568fdd4337

  • SHA512

    52d1b86eb23d6bca79c2752a3a5d43ac5617495a8b0a9d387492e8eef9a56067913ddb79b6dab7228bde473cdca9713d69d642f6b04eac52bbb6cd15e23c706c

  • SSDEEP

    384:oalQmY98iM6caSGAZ0ytfBPGHlegiuIWnrAF+rMRTyN/0L+EcoinblneHQM3epzS:9QmGp2Z3tfBPGk9udrM+rMRa8NuW/t

Score
10/10
njratdibilevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Dibil

C2

7.tcp.eu.ngrok.io:18097

Mutex

7bb786d3a71613dbb1f2bee12d98405a

Attributes
  • reg_key

    7bb786d3a71613dbb1f2bee12d98405a

  • splitter

    |'|'|

Targets

    • Target

      0242b77912d11030997cbf549f41a61c.exe

    • Size

      37KB

    • MD5

      0242b77912d11030997cbf549f41a61c

    • SHA1

      d0fabf4bf6adff8f2ae3f827bf0a815fe00513cf

    • SHA256

      d143d732effee86f0bc7a3862cfbc20b3ff1f0759aa997b7a8a3e5568fdd4337

    • SHA512

      52d1b86eb23d6bca79c2752a3a5d43ac5617495a8b0a9d387492e8eef9a56067913ddb79b6dab7228bde473cdca9713d69d642f6b04eac52bbb6cd15e23c706c

    • SSDEEP

      384:oalQmY98iM6caSGAZ0ytfBPGHlegiuIWnrAF+rMRTyN/0L+EcoinblneHQM3epzS:9QmGp2Z3tfBPGk9udrM+rMRa8NuW/t

    Score
    10/10
    njratdibilevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks