General

  • Target

    njnj.zip

  • Size

    16.2MB

  • Sample

    230907-ybehdsdf28

  • MD5

    2f0f71fc681d83a24d5ea70faaa54799

  • SHA1

    1bb680d757450b939ea237b7edd59f8bc46718ed

  • SHA256

    0955083a248cff54f8944f0ee729bf4a59ab594bd7288b2c0247175d1756e717

  • SHA512

    d9a4c3f5967288a0de9296c2adf712b5c70c0fa77f338fe6863dc701c086dbe7403c22fe7ab7e33684e797c631b5f40ef6ac0aaee9138694c1b1608139efb95f

  • SSDEEP

    393216:fqWpE8e7dITsk1TRWMgm+DlSbyZivjNAEKhEqQQsWfa+qYPr:fqWGuh1TRW3P1Z6Ry9itc

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

lol

C2

808080.ml:5555

Mutex

39ea446b8ade9effcf7ab7c0d68621da

Attributes
  • reg_key

    39ea446b8ade9effcf7ab7c0d68621da

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

nj

C2

199.241.146.179:31922

Mutex

c5dbc4b5114eccb1261dfdb2194089a8

Attributes
  • reg_key

    c5dbc4b5114eccb1261dfdb2194089a8

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

svhost

C2

62.109.11.164:5552

Mutex

31e68c5230c737766d0bca9d8a3e9590

Attributes
  • reg_key

    31e68c5230c737766d0bca9d8a3e9590

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Sixtnn

C2

linkadrum.nl:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

COM

C2

new4love.myftp.biz:6777

Mutex

2f6d138161c7b1e5b6fd8e205c417d59

Attributes
  • reg_key

    2f6d138161c7b1e5b6fd8e205c417d59

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7.3

Botnet

OfficEr09

C2

194.5.99.17:6521

Mutex

ClienNe.exe

Attributes
  • reg_key

    ClienNe.exe

  • splitter

    1111

Extracted

Family

nanocore

Version

1.2.2.0

C2

77.48.28.247:5378

Mutex

d05852ee-0a7b-481c-a286-25366e65816c

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    77.48.28.247

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-02-03T10:23:08.755936536Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    5378

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    d05852ee-0a7b-481c-a286-25366e65816c

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    77.48.28.247

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

0.7d

Botnet

14.04

C2

akilay.kingx.info:1177

Mutex

9602a33d103f6d5047701f6f6b9c2652

Attributes
  • reg_key

    9602a33d103f6d5047701f6f6b9c2652

  • splitter

    |'|'|

Extracted

Family

netwire

C2

henry.dvrcam.info:5509

Attributes
  • activex_autorun

    true

  • activex_key

    {00873Y32-6U30-7YV1-H8UC-3IWTQ12184BG}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    MAY1

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    ecIKRlng

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Targets

    • Target

      a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e

    • Size

      937KB

    • MD5

      d2aca4967231eb63f091ddadb9a364de

    • SHA1

      9fd9ff93b6b9905f4400df11b1e8d260e3ba3954

    • SHA256

      a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e

    • SHA512

      104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2

    • SSDEEP

      12288:ij6WXYcmypf+tCYIgPVFBStIx9myb1tHA39XX0o1ymxgCZwLfbUUNDD3o:6Y1mf+tCYIKBCU9f/HAJgCmLfbvDc

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d

    • Size

      1.4MB

    • MD5

      0dd5d8ff4fa87c8ef8473493a3634021

    • SHA1

      8bf0f5b86de710213be1cc25c9d866bb8a10d1ed

    • SHA256

      a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d

    • SHA512

      6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc

    • SSDEEP

      24576:lPk6yfp+zHavJ09dBYcGEwby0eNVqMBxLFPSuw5HYdno6fHbBu8cHYsxTPQC:lPjyfpBvJWdBYcL0eHq0qvanoSB0dxEC

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      aea715bfa7b66172a5278ec1ab18bc557412c03f9e1107c7871cc8b852c7fe5a

    • Size

      37KB

    • MD5

      6e7beaca3981e88b5c7cb784540d04ed

    • SHA1

      8cd185e2cc72724e2b379715a0854d0ad48b0f8b

    • SHA256

      aea715bfa7b66172a5278ec1ab18bc557412c03f9e1107c7871cc8b852c7fe5a

    • SHA512

      e4e0a4f814c9b63e36f020a8cc418390d695fc7cbc5c27a5bcca4e6674133cda3806cd33ddc96b54b989ce148ddae4e937195b41cb96120ac277525d5b150d91

    • SSDEEP

      384:6qTk6iumi/o8VS5x/BV3+BEbGxhnG9px+cRqM6Vq5eEQ6pZmJW2TlVcMW+k3e/JD:6sk6m0KFL+BpcOMr5eEFpZO8GT8jmZ

    Score
    1/10
    • Target

      b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8

    • Size

      63KB

    • MD5

      0a1ca904b3d688c01f4e5faae811922b

    • SHA1

      143a3d4a5865c59926b49add4d596c6fc3e1a797

    • SHA256

      b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8

    • SHA512

      fdf9b6a6d8ed0f2443907923dcfba6401145ee377454e196ccd057e9ae126d7e66b2607d9c4ed95bbfbdb26321904cd72ed052c3cd8d942785f12f340a864424

    • SSDEEP

      1536:srUlse2ToVMjLb6M0VqSep+cx4sDEl3N6:OyP+b6MMBep+cx5DET6

    Score
    1/10
    • Target

      b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c

    • Size

      20KB

    • MD5

      2b52153a1ec8cc4ec1325fc9281b588c

    • SHA1

      351d03dd0da046ac290e5d007db9567e753c8ebb

    • SHA256

      b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c

    • SHA512

      1f68665996268c8314ff14b992af27d70aea246cb4732c04ec5a49612adbc40ce798f911a40c0bc7f24c02567259aca982a5f5b489950abd26428dd956eedcd8

    • SSDEEP

      384:jUYmHMA+Xi8EECJaAV6BEGqJ3n9N3Hu7TeZwBYRWjilUf/Z:4DHMAGcahwJ393wqR4i8

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121

    • Size

      28KB

    • MD5

      b58f170bed7f9957bc929ad9fe669692

    • SHA1

      55dfe9b436059ad1fc007e9264e942ab4ba4f986

    • SHA256

      b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121

    • SHA512

      089dc07e7bdb591b69fa16a3e7d9087138e2981747613ed3d10929ad7a8a4314ee2a3c04a04af1144861e293b856678cd227d25f9a363c92f9f106c0e30ed6d8

    • SSDEEP

      768:EYftj96nRnmSsSkd8HXVEu5TWYId/vOa:hknxjsLdQEUWrFvOa

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831

    • Size

      596KB

    • MD5

      3317cb0537262f5aeac914678fc36ad9

    • SHA1

      86b79d8241cb5bb67e92120d51546b99128ab50f

    • SHA256

      b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831

    • SHA512

      91db338f5b80a46a998543ade85805c3a7c0aa68137c9bf0fb139411cf42f9ce064e49311aaf2d6ce5c30c38f5f412ee325005ee71c495cbcd6410f3c095a9e3

    • SSDEEP

      6144:YLLd7X/c9czUgJYBicivmV//7SJIwM3XBNBit:6Jj/c9ngJYAYX7E70xit

    Score
    8/10
    • Target

      b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225

    • Size

      7.4MB

    • MD5

      46a614bb825039eb6ff3f91c717e3d07

    • SHA1

      47d7367b96e64c24de194493c5d993abb882d11b

    • SHA256

      b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225

    • SHA512

      46a8c32c8170d09a622730d81e204bb9b24ffac9a74781aec3d45dc0277291bba5c33dbfb2dae1f363599fe984278bcade1c60f657e3f7dc14a8df4cdd2d99c0

    • SSDEEP

      196608:P1SiJ26+skCPWANeixq47r8zsXbVK3HoA:NJwNANeW57r84rmHo

    Score
    7/10
    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Target

      bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646

    • Size

      1.1MB

    • MD5

      8eaae8e3963b93009aff4ff791370bc1

    • SHA1

      6c877f753df6a71684df2a1a19841b6058cbd519

    • SHA256

      bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646

    • SHA512

      71a465a46db9f60c57a22fc4ea50bb5948cda39e9716c92eff8aff234d5d871f9d5816e0220fb2e9652f40fae68f898ff43c97627210d84e12cf6a351c94dfda

    • SSDEEP

      24576:fAHnh+eWsN3skA4RV1Hom2KXMmHavzbzl7YWaFvuK4ImIqgkx5:Ch+ZkldoPK8YavzbztYWaQK4ImI6

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106

    • Size

      235KB

    • MD5

      b5476d95231211c1ed5b9f36b068cfe3

    • SHA1

      8522563d2601f0059816d6594a7c2bb44ba374df

    • SHA256

      c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106

    • SHA512

      717bc9081ebf38ed08014bf190d4d77cf8a602ff373d2465d7adf45037a9e5adacc2bebbe8a3d1c3b5f683e6226c56eb45a3e21a99c966b4b83e09a527c8bc2f

    • SSDEEP

      6144:rMc2LxfEXhO67G4r6zYIfnu+AEDffVoLbNeia:rafg7G86zYIfnu+fDffVoLZa

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d

    • Size

      29KB

    • MD5

      f80685487edb158c1dcde36869bd29c7

    • SHA1

      def148a3d55ca88ca4ac853cfdcf12e2311ca677

    • SHA256

      c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d

    • SHA512

      f4c1de8afb1bb91ab8bcdd7728994fb0eef77c2a824213b234e10cba00d23b5ec677d41abbb5064c40ea83fd779809b44bc62192017bb094c36e9e40cc7e040e

    • SSDEEP

      384:B++qy+kS7Ehb0UhoPRRCiJ20ZITLk24jXPl8uoC/hC5Z7UzDFIv:Q+QkMgb7s5fc2XP/Iv

    Score
    1/10
    • Target

      c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1

    • Size

      26KB

    • MD5

      467d44fbd5546afd2fec88d34d1e8791

    • SHA1

      8520c2890b3a898695126e8d782d966403ea071f

    • SHA256

      c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1

    • SHA512

      75f713fefd4eb00c182bdb7d437ccc95142ac48f0f6908e0a2b46baf12a3439e2fd8b3c7d10fe5f2810defa15a5e1bf64ba88637766c78361947c11b6865b72c

    • SSDEEP

      384:SItlccdz9rt0uUndn1zxudjwZWeo/N2W8HXVEu59uLS5U/ANpp4DovhezRKqRN/J:SIJz9un1zMwAjd8HXVEu5TWM1+/vOa

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e

    • Size

      1.1MB

    • MD5

      efebe6072187368183e14c2d561624dc

    • SHA1

      c0ef36b220a235a12eb610edf616db7a8b02c3fc

    • SHA256

      cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e

    • SHA512

      40b15edfd8d5f5fd2b2fde78ff13ed47cd6b68f17f07b727858c134649a1851c464f2edaf48d8c9214a06d57711586afdd63742b7ba3c5f093c9964a7f9a2ab2

    • SSDEEP

      24576:e84bJcpabe3UMM54Fvo/oW/VtB0YsrKkG:eBbJcpaa3UMjFw/oW/10Ysr2

    Score
    3/10
    • Target

      ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de

    • Size

      67KB

    • MD5

      ed00beeccdd96f42c60aefc4d1dde58e

    • SHA1

      7d25d5d149370846b10c4ea91695ced647a32d82

    • SHA256

      ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de

    • SHA512

      448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d

    • SSDEEP

      1536:gjbzXAJks5uQa7fVwLgi1evRIH1ZQ3aMJnDQZhoPbkILpC0O6sc3+69e:gjbzXAJks5uQa7fVwLgiMvR61axah

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87

    • Size

      1.3MB

    • MD5

      46526b1804320c45581d61ed7ac36650

    • SHA1

      9ffc3dd00036daa0a537b8b316ee9f6724504e56

    • SHA256

      d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87

    • SHA512

      31ee16705a08c764cd3fa5fdb39940fccb86b69ce6e380dcb6086f800d397158889fb8b49a5852a268b8443205953a4b16cab56f66a492ad76989a7aff1ce2a3

    • SSDEEP

      24576:hY78fKhxQqpm8+GVQo71yrCTg6bjQXABCsRJAcPmLk06Urjw:a78fEe4m8+fK1yrCU6bjQwTRScegrUA

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Target

      d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1

    • Size

      26KB

    • MD5

      b30238ea2be78a6b74b05d320e584890

    • SHA1

      fb20d4cb4450d8befa217085793883b1b1568583

    • SHA256

      d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1

    • SHA512

      ef81fea2fad1a26f654896568d19472ef294bb1e7b050f191ade70c2579172f90fdef3f28bf30fa87ef8672a212a586f16730627deca510a17d9c19b3e8ae891

    • SSDEEP

      384:RiN9ccVj9rt0GUnFnRnxud5SseO/N2W8HXVEu59uLS5U/ANpp4Dtg4ezpKKON/vx:RiZj9OnRnmSs1d8HXVEu5TWKaF/vOa

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8

    • Size

      36KB

    • MD5

      1c29c38b0799dd67080c657ec1b9fc3b

    • SHA1

      6517029f4bfbf6f55aa6b34f51447d37ef38c4af

    • SHA256

      d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8

    • SHA512

      07fa0227dd2f4b107524b595845d9adadd56571967503638618a3e8d914d684c06a463ec77bc043027aa13c8fe5a584df3a35f9d1dd9badbefdcbd4d6ed196b2

    • SSDEEP

      768:HQZj9On1zMwA7d8HXVEu5TW6aq/vOaC5wcSvM:wonhfA7dQEUWX+vOa9cSvM

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

    • Size

      26KB

    • MD5

      00683c2668d0329457a67a5d5523d1ef

    • SHA1

      8831515122545e6eb889bfefc66615b78cd0df2e

    • SHA256

      dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

    • SHA512

      6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff

    • SSDEEP

      384:1iN9ccVj9rt0GUnFnRnxud5SseO/N2W8HXVEu59uLS5U/ANpp4Df26eznKKfN/vx:1iZj9OnRnmSs1d8HXVEu5TWyO8/vOa

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c

    • Size

      1.3MB

    • MD5

      7169974902e5b51350b00a5644a6088c

    • SHA1

      ded834d8f228bfc599220e687a28f46b37d087b5

    • SHA256

      dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c

    • SHA512

      24ff4715889b6173113ec5652ee3e007e959b8afed69457ab6c1641097e98c83d48db9606d4b26e4a8417025c3692853c55a63d22dac42630cf0bb39ba765f4d

    • SSDEEP

      24576:mNA3R5drXpijjuLLjthBWEPrKHDKSaemoe0ASVgRr7rl4u1h6LId7nT1RMwaMm3O:H5sjivjvk2mJeIV0r7R1h6LIdzTXM769

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024

    • Size

      206KB

    • MD5

      700c0c3cb81bc180b2a5157b183c1664

    • SHA1

      170914b526bb391b3b00d502ea4ba2e78038ae79

    • SHA256

      de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024

    • SHA512

      6d149a9e0060de6da1309de21352f56c71ffbaf9b9599df52b26b5f9b75b0fad260fc517a68f19eb99d946e649623370d85bf10c4b3bf1e4c0d6e2a97580b861

    • SSDEEP

      3072:bUFmaznVF+HigtmeUfqf9WFkJ19xLOnY31gd+rvIP2qJlnqdizo:uK9Wzk

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25

    • Size

      93KB

    • MD5

      4220ba70c74cad091e00dd84cf84a3f1

    • SHA1

      ec1a5e1964e8de04ec1bde1103198779960aa3be

    • SHA256

      dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25

    • SHA512

      4bcc58fac6370cad38b1a42c8e6871a76cdbeb586db741369beb35542af23657fb3ec2b657212552b20bfb98d8a45d84699e72a3b8ebe0039726c62b951783f3

    • SSDEEP

      1536:r3eJG53G73mxdvdmkGeT5a0NH8ivVO4ZTAWbBC8Ff0639WgRrYO13y0XFpDoeLx/:r32GhNvxGeT5a0NH8ivVO4ZTAWbBC8FJ

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa

    • Size

      604KB

    • MD5

      2ba17b874477bcff2509e2e5deab9715

    • SHA1

      5e4dfb24fc4777fd9c2126d3195bb39e82b9d7e2

    • SHA256

      df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa

    • SHA512

      5ad2a048115cc6912b9d5b102b37bcc8d6c6d5ce3d03e7e1d40709b4cf64d698e1ede164587854ec13630beb6e84edbeafa6df1e0f9c4335ab449709f4e16ee7

    • SSDEEP

      12288:jecjcr2eyS5d57albpuClk6FJPxUlD6VlOuJE1kGm89:6Ycr2eb7gbEokYhJE1kX8

    Score
    8/10
    • Target

      e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716

    • Size

      26KB

    • MD5

      0d40af16eec3e4b461fee10897ce7793

    • SHA1

      6aded66dabd7e5b7d787892d0b1d1975cd9ee2ec

    • SHA256

      e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716

    • SHA512

      3efb11616472ceb24e1032c295ab1deca5a8317d12f45bea2381bca20c74a832d5a99319e0720c09548def4227dc4f16f2b1ca3370524d60a1b9c3ca1e4c6173

    • SSDEEP

      768:qQZj9On1zMAA7d8HXVEu5TWGbZgv2/vOa:nonhDA7dQEUWRqvOa

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5

    • Size

      1.1MB

    • MD5

      9237433077b158a908db30a6f1bdff34

    • SHA1

      a057b8b37ed2ee5de4c40cbfc4c60e6811a6a0c8

    • SHA256

      e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5

    • SHA512

      40fafea42f71d5d531f671d73886e649f9151a1b9cc28636723962dc1a6d1cdb0a68adf18206012d208703aa0ffc08b8a47c13025291db25e78863106b171132

    • SSDEEP

      24576:/Cdxte/80jYLT3U1jfsWa9T106d5qNdiQ:ew80cTsjkWa9+

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6

    • Size

      717KB

    • MD5

      c6bd4bc93848b6f0a5c9fccf121b3055

    • SHA1

      fd96fd58178ce03d0dcc7dbbce7f60148b1dc117

    • SHA256

      eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6

    • SHA512

      bf209b03f04307f1956e12715a5088ea33b667b636dc79a31e649ca24212a4a1078b66a0223545a3da82efe10eb1133cf1acee27ca6a14861a4a40c02254ee59

    • SSDEEP

      12288:rzlX6UDtz769iO1Z85Wk+0ePHEqfsLpGI2GU/b0/FszZCtHxUTA3mFZn5Rd:HlX6ktH6MOU5SlP3IS0s8HkA3cZn

    • Target

      ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0

    • Size

      1.7MB

    • MD5

      b34fc356387febf6a41b22b6845a0913

    • SHA1

      6c0514a134e8f6fa4bf3d709ded7b9feae7aa9f6

    • SHA256

      ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0

    • SHA512

      a32efac4708b746e2a7d4aa84211be9ed73da90caefdce7948c749f8ebd3b46f44b3d5ef4f9f3225302853e9ce7047c3fd8caaf598029cccedcd900e7d02469f

    • SSDEEP

      24576:0MwTj1hBcvGHIGe45RFPDQCJ8rYegGHMtO5r4rR/S3zcw4UfXZycBADaxBcHq:1O1TcvGr1rj88egGs5k3zvo8ADaxBb

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66

    • Size

      26KB

    • MD5

      96783917c067f4a74c0dd2f56643eea1

    • SHA1

      5a65e81d674500fac979aa8c2d854ac230bf598b

    • SHA256

      f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66

    • SHA512

      979a5210896e8a7405c415bf683984e8d514a9c15ca87a90c8333b5658f2e08df3ae69736e9eba74f8e35c76163f98c54ac928d21f21e5538183179d2db4b632

    • SSDEEP

      768:3wcO79HKn1LMwAhd8HXVEu5TWKDQ/vOa:NOxKnpfAhdQEUWGUvOa

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b

    • Size

      173KB

    • MD5

      a086f197a46fe757785c767048f2d9f3

    • SHA1

      62100a3d908db60faf193caf24515e0fcf5f625e

    • SHA256

      f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b

    • SHA512

      1aa399f46bb9212d72adf75c17bb7df436b6d6cd0bfb83d9f08927e9ad21f48b7bfb30682c4021ac1fc3f547fbe9fdb4a9488f981ad9a06255849399ba87ae15

    • SSDEEP

      3072:I0tlAJw07xT/8RxM8SX0NtZ4Y2ZiQ/ZZ0AGVPBORLuy+gY/Ptfew6ziOOTYbL:RW7hwFj2YwZZ0AUkRLX+g8Z6OO

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab

    • Size

      390KB

    • MD5

      dc5cd2992a219d51a2b2e0878eeda416

    • SHA1

      04b058f5e3087fd6ee63e97a87b08d228d9cc76f

    • SHA256

      f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab

    • SHA512

      41c0a582931dee21cdb83e621a029f0ab14addf265a72596104db6153f474342d859eab37f099b1bcf2e3e1ede72cab1c04a72ffe094ff6755da97b65551b2ee

    • SSDEEP

      3072:monQdsWCvOppAVrEDC+p+u+7jKBVDC+TgElfoVI5Ow0qVJux8ksa7Uh+TlJ:Lns3lJMniD1rn10sV5yUh

    Score
    8/10
    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4

    • Size

      77KB

    • MD5

      689623dcf8cce31f412b1ad534a63c94

    • SHA1

      e493ebed912d360ae7537a038357cd81bee73860

    • SHA256

      f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4

    • SHA512

      4d347347f401a4d721905f76296d2a3fcec4541b64912efe12de0aba190953165eebe43d8bfd12873d91e64144829fc35f653bcaa1b385a58a7a3de82df0e4eb

    • SSDEEP

      1536:ihXyZtq0kRVF8XVLkYteqDg2l6RfOaBs0jNnqsWdd9Go/rTXn:ihiZY978XlkYUqDg28RfOaBs46dLGoP

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96

    • Size

      1.1MB

    • MD5

      572c6a074a34978b05750fea0c97648e

    • SHA1

      94f5853d63106365d0f6ed1e46c32ccb8550892b

    • SHA256

      fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96

    • SHA512

      8b5e809fc5c8348b07885033d6335f9559f7313ed0f45faf3361fb70bacfdda75a0593e836fb967986282027963bd1b19fbce80fc2a69beafdb62ce256235a30

    • SSDEEP

      24576:uRmJkcoQricOIQxiZY1iaCKdBOYI9z7ogKQt91EamgMd:7JZoQrbTFZY1iaCn9z8VY9Id

    Score
    10/10
    • Modifies visiblity of hidden/system files in Explorer

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497

    • Size

      40KB

    • MD5

      80f3036110c00a57b09bba7343c16696

    • SHA1

      aab69aa9dd1ae6c8ad38aca89720053c918d5560

    • SHA256

      fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497

    • SHA512

      5e5140ec8a8b23d06ce3349e7c4b107c6a73fbe3fa55a05fa8178b3c3b76df6c417d3334a03824ac24c58208b03b46f94fa48f68cf313d93e214d40087b076e8

    • SSDEEP

      768:B2FqkvDeUlJvlWwaYkzJzxGPZSCmfSUC9FQNBZyxGb1V29dpfo7h9Rp6oIGb+Elr:QFqkvDeUlJvlWwnkNlGPZSCmfS19FQNd

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

evasionpersistence
Score
9/10

behavioral2

njratevasionpersistencetrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
6/10

behavioral6

evasionpersistence
Score
8/10

behavioral7

evasionpersistence
Score
8/10

behavioral8

vmprotect
Score
7/10

behavioral9

netwirebotnetpersistenceratstealer
Score
10/10

behavioral10

njratlolevasiontrojan
Score
10/10

behavioral11

Score
1/10

behavioral12

evasionpersistence
Score
8/10

behavioral13

Score
3/10

behavioral14

njratnjevasionpersistencetrojan
Score
10/10

behavioral15

njratsvhostevasionpersistencetrojanupx
Score
10/10

behavioral16

evasionpersistence
Score
8/10

behavioral17

evasionpersistence
Score
8/10

behavioral18

evasionpersistence
Score
8/10

behavioral19

njratsixtnnevasionpersistencetrojan
Score
10/10

behavioral20

njratcomevasiontrojan
Score
10/10

behavioral21

Score
6/10

behavioral22

evasionpersistence
Score
8/10

behavioral23

evasionpersistence
Score
8/10

behavioral24

njratofficer09trojan
Score
10/10

behavioral25

nanocoreevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral26

njratevasionpersistencetrojan
Score
10/10

behavioral27

evasionpersistence
Score
8/10

behavioral28

discoverypersistencespywarestealer
Score
7/10

behavioral29

evasionpersistence
Score
8/10

behavioral30

njrat14.04evasiontrojan
Score
10/10

behavioral31

evasionpersistence
Score
10/10

behavioral32

Score
1/10