Overview

overview

10

Static

static

3

2f5e7c5c9f...b3.exe

windows7-x64

8

2f5e7c5c9f...b3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    426937c153dd506951c7f40a94094c48.bin

  • Size

    812KB

  • Sample

    230606-bk1ewsca51

  • MD5

    61ad3176600461222dbecba8cfd0e061

  • SHA1

    17bf6ab1d6ab400c5fe8898073825cf470009988

  • SHA256

    480480bd127a8adc1be044d8db59da08a8dee51a455a77b0b473c17b2c3fcf64

  • SHA512

    ff54584d2b9eecec4333d5d559a260559265004f921cac284239e9d07de23caefa46786f0a37798661edb8c1e1e259dccbd0fafc4e9382f8714cb7d5bf12ecf5

  • SSDEEP

    24576:95nN+ZIn7SENcrO9yIYJGOHXjHgswqWEszc:zNss7SEG+yIYJGIXjNWEszc

Score
10/10
njratcollectiondiscoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe

    • Size

      863KB

    • MD5

      426937c153dd506951c7f40a94094c48

    • SHA1

      fb1e60c760f716e3058e3187d701899ba136d6a2

    • SHA256

      2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3

    • SHA512

      4404e37eced0a0bfa8255e6549d0b9212cd7fd3be87b012879bbf9898b7ffa36d28c27525f4d2b9edc64100ab29e302afe4bbd2594f3810ad4e1701b13405103

    • SSDEEP

      24576:Zjy6Akw+amJpYfdwzcfeJs9ReYWCW8kCt9g7:w6Akwhm0fdXO/D8j

    Score
    10/10
    collectiondiscoveryevasionpersistencespywarestealernjrattrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks