Overview

overview

10

Static

static

10

816bec8080...c6.exe

windows7-x64

8

816bec8080...c6.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    816bec80805e3aefb9374935f9326cc6.exe

  • Size

    37KB

  • Sample

    230314-ntewrsfb62

  • MD5

    816bec80805e3aefb9374935f9326cc6

  • SHA1

    e34c370564a014ce62a348346a1bbfd12f01555a

  • SHA256

    de194a0227d357129c719456e44d99cd6bd984d20149ce7096ba4f1d794a3b88

  • SHA512

    df657e3ef5d2ed51eee6e28e143dd299eea604e4399fdc10fd0f1b52ab58b40de23fea9cc6f8aeaf11a9522f1414ab7c93be39101cf5c8004ccae82834eb462f

  • SSDEEP

    384:i0SvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzXq:VS7TZ38fvCv3E1c1rM+rMRa8NuOPt

Score
10/10
njrathackedevasionpersistence

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

7.tcp.eu.ngrok.io:15593

Mutex

f9535d1dd682c0a54e42235c04e4809e

Attributes
  • reg_key

    f9535d1dd682c0a54e42235c04e4809e

  • splitter

    |'|'|

Targets

    • Target

      816bec80805e3aefb9374935f9326cc6.exe

    • Size

      37KB

    • MD5

      816bec80805e3aefb9374935f9326cc6

    • SHA1

      e34c370564a014ce62a348346a1bbfd12f01555a

    • SHA256

      de194a0227d357129c719456e44d99cd6bd984d20149ce7096ba4f1d794a3b88

    • SHA512

      df657e3ef5d2ed51eee6e28e143dd299eea604e4399fdc10fd0f1b52ab58b40de23fea9cc6f8aeaf11a9522f1414ab7c93be39101cf5c8004ccae82834eb462f

    • SSDEEP

      384:i0SvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzXq:VS7TZ38fvCv3E1c1rM+rMRa8NuOPt

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks