Overview

overview

10

Static

static

10

TEST BANK ACCOUNT.exe

windows7-x64

10

TEST BANK ACCOUNT.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2023, 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TEST BANK ACCOUNT.exe

  • Size

    37KB

  • MD5

    d292e38ae9448135ff757d8023d2c10b

  • SHA1

    a5590dcdcf4bab86ac15234bf83957c7d828bcfb

  • SHA256

    5453d518a08515c4f08ebb09601a925f6164e22db494ce1785e70f00d61f8589

  • SHA512

    f85b3b303a9ecb84106d193d4650c8fedda92bde368fb96dae860b7be7b6b4509e1acac1a59b67d6210363c1b2a91fd0b21f97496e24bfdbbd93dc5c7696b93a

  • SSDEEP

    384:8wS6yikt2zIuMXY1uyZD71qwkfFoseyHDrAF+rMRTyN/0L+EcoinblneHQM3epzP:zoY1lN7Qwk21yjrM+rMRa8NuTrt

Score
10/10
njratl indian scammer ezezezeztrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

L indian scammer ezezezez

C2

chapter-julia.at.ply.gg:17779

Mutex

763f08aadc5f1dde3c553edc3d069fec

Attributes
  • reg_key

    763f08aadc5f1dde3c553edc3d069fec

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TEST BANK ACCOUNT.exe
    "C:\Users\Admin\AppData\Local\Temp\TEST BANK ACCOUNT.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\bank_account
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\bank_account"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\bank_account
    Filesize

    37KB

    MD5

    d292e38ae9448135ff757d8023d2c10b

    SHA1

    a5590dcdcf4bab86ac15234bf83957c7d828bcfb

    SHA256

    5453d518a08515c4f08ebb09601a925f6164e22db494ce1785e70f00d61f8589

    SHA512

    f85b3b303a9ecb84106d193d4650c8fedda92bde368fb96dae860b7be7b6b4509e1acac1a59b67d6210363c1b2a91fd0b21f97496e24bfdbbd93dc5c7696b93a

    Download Submit

  • memory/1920-54-0x0000000000490000-0x00000000004D0000-memory.dmp

    Filesize

    256KB

    Download