njrat | 15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05 | Triage

Submit
Reports

Overview

overview

Static

static

joao.exe

windows7-x64

joao.exe

windows10-2004-x64

Sharing

General

Target

joao.exe
Size

89KB
Sample

230615-hj14cseh97
MD5

a88c703f3ec08baf49df569833dde633
SHA1

f5b47b14f247d4eb1fe0131255a43735b53bb366
SHA256

15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05
SHA512

391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307
SSDEEP

384:aRcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZ2kgAD1vJ:ay30py6vhxaRpcnunF8u3EMyyCg

Score

10^/10

njrat joao evasion persistence spyware stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

joao.exe

Resource

win7-20230220-en

njrat joao evasion persistence spyware stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

joao.exe

Resource

win10v2004-20230220-en

njrat joao evasion persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

joao

C2

0.tcp.sa.ngrok.io:11168

Mutex

e6a27426758a6eb3f469a160f094bed0

Attributes

reg_key
e6a27426758a6eb3f469a160f094bed0
splitter
|'|'|

Targets

- Target
  
  joao.exe
- Size
  
  89KB
- MD5
  
  a88c703f3ec08baf49df569833dde633
- SHA1
  
  f5b47b14f247d4eb1fe0131255a43735b53bb366
- SHA256
  
  15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05
- SHA512
  
  391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307
- SSDEEP
  
  384:aRcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZ2kgAD1vJ:ay30py6vhxaRpcnunF8u3EMyyCg
Score

10^/10

njrat joao evasion persistence spyware stealer trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

njratjoaoevasionpersistencespywarestealertrojanupx

behavioral2

njratjoaoevasionpersistencetrojan

© 2018-2024

Terms | Privacy