Overview

overview

10

Static

static

10

08523899.exe

windows7-x64

10

08523899.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    08523899.exe

  • Size

    37KB

  • Sample

    230609-h3f8ascb4x

  • MD5

    b17414d6949c2e013de14fdc268cfc89

  • SHA1

    21f52aadfe9691ed8d28415ec0f31c8507cc6e32

  • SHA256

    99219aa34910a8c28a6bfc96a6a58247fb1aa6c0cd0abd4af5445aa0ba359525

  • SHA512

    812806987016518ae7270e5ef2ca9e580684943a9fde797756f4c7c7221144fb8bb2aab8e1eed8c879d2fa9b2da5c95382d96a65e395b9527bbf3e2fdd8f0e59

  • SSDEEP

    768:5YdqHpR9EfZnuCCFMXsrM+rMRa8NugUOt:isHpRyBnA6X/+gRJNHU

Score
10/10
njratdiscordevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Discord

C2

176.37.53.55:7777

Mutex

4e9eb192f2892f9e22c0f13eb935b2a7

Attributes
  • reg_key

    4e9eb192f2892f9e22c0f13eb935b2a7

  • splitter

    |'|'|

Targets

    • Target

      08523899.exe

    • Size

      37KB

    • MD5

      b17414d6949c2e013de14fdc268cfc89

    • SHA1

      21f52aadfe9691ed8d28415ec0f31c8507cc6e32

    • SHA256

      99219aa34910a8c28a6bfc96a6a58247fb1aa6c0cd0abd4af5445aa0ba359525

    • SHA512

      812806987016518ae7270e5ef2ca9e580684943a9fde797756f4c7c7221144fb8bb2aab8e1eed8c879d2fa9b2da5c95382d96a65e395b9527bbf3e2fdd8f0e59

    • SSDEEP

      768:5YdqHpR9EfZnuCCFMXsrM+rMRa8NugUOt:isHpRyBnA6X/+gRJNHU

    Score
    10/10
    njratdiscordevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks