Overview

overview

10

Static

static

3

unins000.exe

windows7-x64

10

Resubmissions

28-06-2023 05:42

230628-geffeshd21 10

28-06-2023 05:38

230628-gb2jgshd2z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    unins000.exe

  • Size

    120KB

  • Sample

    230628-gb2jgshd2z

  • MD5

    fedc44d49ac077434621ed7b00e9233f

  • SHA1

    6ce87223da9aa55e9695be288712b04612c8a981

  • SHA256

    9f60fbfc28e3875762e45a63f9e3ce5dc6b993fe930b2b2f26ba999bd334668e

  • SHA512

    79622da4e20d655d36bbaa5936cde110300edccd876decf20c679b567542330541eedf330e6f1ffab4d824d3f9cf073f6e02f3cc75e62c29c0b1893a902e0bb0

  • SSDEEP

    3072:t+IH9U8Hp2k9VNq7OA23/RcY1CYS9B3pr8L4dOE:5imdNq7Oj3/K+S93O4

Score
10/10
njratbackupevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

BackUp

C2

style-camps.craft.ply.gg:37572

Mutex

Text attrib corrector

Attributes
  • reg_key

    Text attrib corrector

  • splitter

    |Hassan|

Targets

    • Target

      unins000.exe

    • Size

      120KB

    • MD5

      fedc44d49ac077434621ed7b00e9233f

    • SHA1

      6ce87223da9aa55e9695be288712b04612c8a981

    • SHA256

      9f60fbfc28e3875762e45a63f9e3ce5dc6b993fe930b2b2f26ba999bd334668e

    • SHA512

      79622da4e20d655d36bbaa5936cde110300edccd876decf20c679b567542330541eedf330e6f1ffab4d824d3f9cf073f6e02f3cc75e62c29c0b1893a902e0bb0

    • SSDEEP

      3072:t+IH9U8Hp2k9VNq7OA23/RcY1CYS9B3pr8L4dOE:5imdNq7Oj3/K+S93O4

    Score
    10/10
    njratbackupevasionpersistencetrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • UAC bypass

      evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Impair Defenses

1
T1562

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks