Resubmissions

06/08/2023, 05:08

230806-fsj54ahd2v 10

06/08/2023, 05:03

230806-fp3s2aga45 10

02/08/2023, 10:27

230802-mg764seb72 10

General

  • Target

    DcRat.7z

  • Size

    24.7MB

  • Sample

    230806-fp3s2aga45

  • MD5

    b4b4a610df1a6e5d7b4a7771398ba3c7

  • SHA1

    a3ae8d7a63329a98578a5c373d4fef31e836c118

  • SHA256

    b157421990f8a723d92fb176febc0531756fb589884d40d0bfba466d6a0b0c23

  • SHA512

    e5216d7823b2d74a4681122528e40c6455c563bd547aa709ae33f46fbf2feae03579328286137b970e13e6b6dd11afec8ed5b2b855eac09d46e8ad02aa8a5392

  • SSDEEP

    786432:kVhB5l8v+kurxLNBnqekxXKTXM/fuHqUz:wD5mTmxLNoekx6sBw

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

ofi.dyn.ydns.io:5553

Mutex

f988fca3984c4c

Attributes
  • reg_key

    f988fca3984c4c

  • splitter

    @!#&^%$

Extracted

Family

njrat

Version

0.7d

Botnet

NJCRYPT

C2

windowsupdateservice.mypi.co:8768

Mutex

2484db5a2c13348cb68085177e842817

Attributes
  • reg_key

    2484db5a2c13348cb68085177e842817

  • splitter

    |'|'|

Targets

    • Target

      DcRat.7z

    • Size

      24.7MB

    • MD5

      b4b4a610df1a6e5d7b4a7771398ba3c7

    • SHA1

      a3ae8d7a63329a98578a5c373d4fef31e836c118

    • SHA256

      b157421990f8a723d92fb176febc0531756fb589884d40d0bfba466d6a0b0c23

    • SHA512

      e5216d7823b2d74a4681122528e40c6455c563bd547aa709ae33f46fbf2feae03579328286137b970e13e6b6dd11afec8ed5b2b855eac09d46e8ad02aa8a5392

    • SSDEEP

      786432:kVhB5l8v+kurxLNBnqekxXKTXM/fuHqUz:wD5mTmxLNoekx6sBw

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks