Overview

overview

10

Static

static

10

2fd0e5f074...83.exe

windows7-x64

10

2fd0e5f074...83.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2fd0e5f074ac1797378039bfd9aa2783.exe

  • Size

    37KB

  • Sample

    221201-skmbpsed9y

  • MD5

    2fd0e5f074ac1797378039bfd9aa2783

  • SHA1

    260a02c1aab33a643f549706d0e41b98583c4c80

  • SHA256

    c46660f4c6006b2d4fbb1f6b651da9c20895c9acbbf498a506365aca36ab9823

  • SHA512

    40af1e03eaf180a51a885160d702997dc675fa66a20608afc582fa0c576d34565d843b582f7f63beb2297c4d55b53006a50c7aaadeb8380b5a02c8459477e2ba

  • SSDEEP

    384:HmqaSikHkvmkO8IV+ytbNNOvNEsuKv2rAF+rMRTyN/0L+EcoinblneHQM3epzXQg:G1IV1tbNNO2lK+rM+rMRa8Numgt

Score
10/10
njratdibilevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Dibil

C2

0.tcp.eu.ngrok.io:18648

Mutex

ab0232858746b083a3ee8bc3e01cc315

Attributes
  • reg_key

    ab0232858746b083a3ee8bc3e01cc315

  • splitter

    |'|'|

Targets

    • Target

      2fd0e5f074ac1797378039bfd9aa2783.exe

    • Size

      37KB

    • MD5

      2fd0e5f074ac1797378039bfd9aa2783

    • SHA1

      260a02c1aab33a643f549706d0e41b98583c4c80

    • SHA256

      c46660f4c6006b2d4fbb1f6b651da9c20895c9acbbf498a506365aca36ab9823

    • SHA512

      40af1e03eaf180a51a885160d702997dc675fa66a20608afc582fa0c576d34565d843b582f7f63beb2297c4d55b53006a50c7aaadeb8380b5a02c8459477e2ba

    • SSDEEP

      384:HmqaSikHkvmkO8IV+ytbNNOvNEsuKv2rAF+rMRTyN/0L+EcoinblneHQM3epzXQg:G1IV1tbNNO2lK+rM+rMRa8Numgt

    Score
    10/10
    njratdibilevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks