Overview

overview

10

Static

static

1

Run.exe

windows7-x64

10

Run.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Private_Checker_2023_0.rar

  • Size

    10.3MB

  • Sample

    230313-xhcfyadf9v

  • MD5

    4c66493ac2c4d18556d8f291b8e7830c

  • SHA1

    ecf40bf886d700b86b711681d80c14709dd6ec03

  • SHA256

    13541e746cdf54a9dd39886962d240d55407a28a1fb8d879d4135dfd4eb45980

  • SHA512

    1d1177cb14a20cd564a4965fc6eefefbf867d90b06ac255169d23fda8d827c2162afbdc76401a9d26816e1a61cd20ad4b59f437aab85d4e68925e63d0ae97773

  • SSDEEP

    196608:ugEdki/JvzDQA6AMp67h26VR31SViJ2IBRlWflXo8VdCd0kFhW:BEOid/PbM6D31miJ2SR5kUd0L

Score
10/10
njrathackedevasionpersistencepyinstallertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

5.78.41.13:5552

Mutex

b5ca8b9665cede5b2e58d62e76894940

Attributes
  • reg_key

    b5ca8b9665cede5b2e58d62e76894940

  • splitter

    |'|'|

Targets

    • Target

      Run.exe

    • Size

      10.3MB

    • MD5

      1148891f082d24c6f0be9800d05c01c8

    • SHA1

      1d053080ab81e15aa76466e98d4d4c34a0ed517d

    • SHA256

      e640e55651b30981ff9b93e3183c30dbcf45b8ca8ebb5b981c6d08aad85269db

    • SHA512

      2563fe9dd9e18df629480a34f70a6b8bebf185e447d090e81632ad1da26f7a446960ef0ca2fdd833b5d5d14e85384320b494c4c46347c0268f5ace7d3cd6a92b

    • SSDEEP

      196608:u5AHwrNX93+Gko1UbNhGHW3lidswAPq+ZQxu40bItwMtjqS6yu2gfYqBJ:GmGkoYiRCnq+ZQ6bItXtwyu2AYq

    Score
    10/10
    njrathackedevasionpersistencepyinstallertrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks