Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Server.exe
-
Size
93KB
-
Sample
230723-1sqyvsgh63
-
MD5
57e1aae72406aecb9418ea6b9900d24f
-
SHA1
b1eb7cf67e69c5ecaea4df806d5e17913485c048
-
SHA256
baa50398d0c735b6f72a76093ed875a27ec9d60d900ecd50d396f5bc2bdf9cf2
-
SHA512
1937e3b729ad249f7e0c0ea3ad11d2af6bd6f237833d4779d8a758ae307c76b9b8c2b47910c42f3228411695ba5a4c0a78cab2c8e8693d342750f2495cf20196
-
SSDEEP
768:OY3rUnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk31sGS:tUxOx6baIa9RZj00ljEwzGi1dDFDcgS
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
hkmtdr.ddns.net:6522
3fe8a9a3f17c479411fdaf6e87365c0c
-
reg_key
3fe8a9a3f17c479411fdaf6e87365c0c
-
splitter
|'|'|
Targets
-
-
Target
Server.exe
-
Size
93KB
-
MD5
57e1aae72406aecb9418ea6b9900d24f
-
SHA1
b1eb7cf67e69c5ecaea4df806d5e17913485c048
-
SHA256
baa50398d0c735b6f72a76093ed875a27ec9d60d900ecd50d396f5bc2bdf9cf2
-
SHA512
1937e3b729ad249f7e0c0ea3ad11d2af6bd6f237833d4779d8a758ae307c76b9b8c2b47910c42f3228411695ba5a4c0a78cab2c8e8693d342750f2495cf20196
-
SSDEEP
768:OY3rUnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk31sGS:tUxOx6baIa9RZj00ljEwzGi1dDFDcgS
Score10/10-
Modifies WinLogon for persistence
-
Modifies security service
-
Windows security bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Disables RegEdit via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
11Pre-OS Boot
1Bootkit
1