General
-
Target
Windscribe.rar
-
Size
15.8MB
-
Sample
230905-ars4qacb6w
-
MD5
33be2f9771daf63f0dab58546bb02af2
-
SHA1
44430eb2f941a4ba1513d33b3f935f19abd154f9
-
SHA256
d2b76155f614719d0ccb3107a2cf0c4e365aed06f7c2238b0eba4836b06b0e38
-
SHA512
0837e505bb70de3d01c88b4f696cc0329cce91e3f06c745ddc0a9e5d00e352c39884793797378c011b52a94368f87449a069299c38ba8918b8e360eb6a98f8e3
-
SSDEEP
393216:C6LW5iAXFISjfK2ON6CuaVB6L5KmFhrSxXB6fr:JyiAVT26CugBqKm3SGfr
Malware Config
Extracted
njrat
0.7d
Run RunPE
-
splitter
|'|'|
Targets
-
-
Target
Windscribe.rar
-
Size
15.8MB
-
MD5
33be2f9771daf63f0dab58546bb02af2
-
SHA1
44430eb2f941a4ba1513d33b3f935f19abd154f9
-
SHA256
d2b76155f614719d0ccb3107a2cf0c4e365aed06f7c2238b0eba4836b06b0e38
-
SHA512
0837e505bb70de3d01c88b4f696cc0329cce91e3f06c745ddc0a9e5d00e352c39884793797378c011b52a94368f87449a069299c38ba8918b8e360eb6a98f8e3
-
SSDEEP
393216:C6LW5iAXFISjfK2ON6CuaVB6L5KmFhrSxXB6fr:JyiAVT26CugBqKm3SGfr
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2