Overview

overview

10

Static

static

10

887F546123...93.exe

windows7-x64

10

887F546123...93.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    887F546123CD59024356557175BD77FE1144BA5C56D93.exe

  • Size

    93KB

  • Sample

    230626-g4b5ashf9z

  • MD5

    3379d8b83c00b455e8b879f966375af3

  • SHA1

    3df48893c22222b17ccaf53eff170a877ca12c65

  • SHA256

    887f546123cd59024356557175bd77fe1144ba5c56d9327bfb95a0f4f91cd47e

  • SHA512

    501a1164207ba2522e07e5c8895c857121b6e4b8ae4d294067709e24d4498b824f375d8dd66656bbec32a41dda699311605b8e4ef5115941c84be85e695db84a

  • SSDEEP

    768:lY37KSSgmnldjcRoMwrx7Y+DIkIITJbXX6pOtzux82WXxrjEtCdnl2pi1Rz4Rk3e:AKQmlbrq+1NTZBOojEwzGi1dDoDzgS

Score
10/10
njratpcevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

PC

C2

hakim32.ddns.net:2000

6.tcp.eu.ngrok.io:15224
Mutex

953c8cd2afae4b51c8f2239e4c7c17c0

Attributes
  • reg_key

    953c8cd2afae4b51c8f2239e4c7c17c0

  • splitter

    |'|'|

Targets

    • Target

      887F546123CD59024356557175BD77FE1144BA5C56D93.exe

    • Size

      93KB

    • MD5

      3379d8b83c00b455e8b879f966375af3

    • SHA1

      3df48893c22222b17ccaf53eff170a877ca12c65

    • SHA256

      887f546123cd59024356557175bd77fe1144ba5c56d9327bfb95a0f4f91cd47e

    • SHA512

      501a1164207ba2522e07e5c8895c857121b6e4b8ae4d294067709e24d4498b824f375d8dd66656bbec32a41dda699311605b8e4ef5115941c84be85e695db84a

    • SSDEEP

      768:lY37KSSgmnldjcRoMwrx7Y+DIkIITJbXX6pOtzux82WXxrjEtCdnl2pi1Rz4Rk3e:AKQmlbrq+1NTZBOojEwzGi1dDoDzgS

    Score
    10/10
    njratpcevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks