Overview

overview

10

Static

static

10

Runtime Broker.exe

windows7-x64

10

Runtime Broker.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Runtime Broker.exe

  • Size

    64KB

  • Sample

    230403-pkgjnsgb6x

  • MD5

    865ff8cad7b20655ee94d62739cf57b2

  • SHA1

    5d91a0d58d8d5e2d88dddf2c9c5f0499fe61ba11

  • SHA256

    d8fe63a4499e084306ef0f303f69f53bbbe9902962ac8c2722f16da521983b55

  • SHA512

    01d68e3372c9d0b77f599331be3cdf0454060e094a1994c94b475f105eee2a5d5175608382bd3ce8579600f8411a1768595c49a7c61ba92469b3bc943422e50b

  • SSDEEP

    1536:prEqKHoN36t+QViobt8hpuyBnvbKfIteKbN38LbB9z3nSaF9bmSRv8:prEqKHoN36t+QViobGhBn2f6mt9zCaFg

Score
10/10
njrathackedpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:10002

Mutex

Runtime Broker.exe

Attributes
  • reg_key

    Runtime Broker.exe

  • splitter

    |Ghost|

Targets

    • Target

      Runtime Broker.exe

    • Size

      64KB

    • MD5

      865ff8cad7b20655ee94d62739cf57b2

    • SHA1

      5d91a0d58d8d5e2d88dddf2c9c5f0499fe61ba11

    • SHA256

      d8fe63a4499e084306ef0f303f69f53bbbe9902962ac8c2722f16da521983b55

    • SHA512

      01d68e3372c9d0b77f599331be3cdf0454060e094a1994c94b475f105eee2a5d5175608382bd3ce8579600f8411a1768595c49a7c61ba92469b3bc943422e50b

    • SSDEEP

      1536:prEqKHoN36t+QViobt8hpuyBnvbKfIteKbN38LbB9z3nSaF9bmSRv8:prEqKHoN36t+QViobGhBn2f6mt9zCaFg

    Score
    10/10
    njrathackedpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks