Overview

overview

10

Static

static

2c0104fcca...ad.exe

windows7-x64

10

2c0104fcca...ad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad

  • Size

    9.8MB

  • Sample

    230129-ygkxcsbc83

  • MD5

    fd86b6c98d65c9d38322424386034c81

  • SHA1

    9c548ab70e4d4f18e92b5cdd62c909c58f5e9b66

  • SHA256

    2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad

  • SHA512

    6eed4fdb7b3c5896ffa93a20671e36068258425e2ac29edcedfd2638a2ea7a16b302ac8e91a91ef3061355ea1c0e154976476d1ea9d15409fe830cebf31a2f12

  • SSDEEP

    196608:6C86m9+NO3mj55jt28jBDpOGce1rjUhz+XshT3olw39xPis5BskMoiE:6C86SMO3iDhBU5hT3o239xqo

Score
10/10
njratquasardefenderhackedpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

2.6.0.0

Botnet

defender

C2

20.82.128.5:4444

Mutex

HkuL6QRMZaTdYNlEJY

Attributes
  • encryption_key

    auS4Dqyt2zp1gKolism7

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    C:\Users\neilish\Desktop\rat

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

20.199.40.163:4444

Mutex

Launcher

Attributes
  • reg_key

    Launcher

  • splitter

    |-F-|

Targets

    • Target

      2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad

    • Size

      9.8MB

    • MD5

      fd86b6c98d65c9d38322424386034c81

    • SHA1

      9c548ab70e4d4f18e92b5cdd62c909c58f5e9b66

    • SHA256

      2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad

    • SHA512

      6eed4fdb7b3c5896ffa93a20671e36068258425e2ac29edcedfd2638a2ea7a16b302ac8e91a91ef3061355ea1c0e154976476d1ea9d15409fe830cebf31a2f12

    • SSDEEP

      196608:6C86m9+NO3mj55jt28jBDpOGce1rjUhz+XshT3olw39xPis5BskMoiE:6C86SMO3iDhBU5hT3o239xqo

    Score
    10/10
    njratquasardefenderhackedpersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks