Overview

overview

10

Static

static

10

019de4dde7...7c.exe

windows7-x64

8

031dec5767...d7.exe

windows7-x64

1

0b354f7753...fe.exe

windows7-x64

10

0c9e720cbe...76.exe

windows7-x64

10

0f11d0ed81...7d.exe

windows7-x64

8

16cc703d82...cf.exe

windows7-x64

10

20d50797f4...ed.exe

windows7-x64

6

272a091d66...01.exe

windows7-x64

2a525fa3c2...eb.exe

windows7-x64

10

2b12bc6233...b4.exe

windows7-x64

8

3cdd7497cc...8c.exe

windows7-x64

10

46715abb1e...a1.exe

windows7-x64

10

4f53372352...20.exe

windows7-x64

1

61aeccd39e...55.exe

windows7-x64

10

723883566a...2e.exe

windows7-x64

10

81bd1e8a3c...f3.exe

windows7-x64

10

868445ea9b...d2.exe

windows7-x64

10

8bbe2d8a2f...fc.exe

windows7-x64

10

8f281f2446...c1.exe

windows7-x64

10

9768445722...3e.exe

windows7-x64

10

9ba12e7aa6...96.exe

windows7-x64

a2a3382336...99.exe

windows7-x64

10

Resubmissions

09-09-2023 11:40

230909-ns69maag66 10

09-09-2023 11:39

230909-nsc1saag57 10

07-09-2023 19:38

230907-ycr5wadf8x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xcmo.zip

  • Size

    8.0MB

  • Sample

    230907-ycr5wadf8x

  • MD5

    c5f48b58ee411b925a3bca02bc9bcb2b

  • SHA1

    819a0b79fc8860634eed48d5e529dcfbdc0416b7

  • SHA256

    16855c2301d184e41dba86afc518440d6c9d756bcbaeb7daebb0439b316c40ba

  • SHA512

    e3c016464ba34d545eafd6a7594a75ba3bcb394f9920f10b1734519f3bbf430a15b8605aa40e3bd02b79dcf572f1223d0792e5e98ec3e7cacc3f548b362a865e

  • SSDEEP

    196608:pl6dKeJB6DumaD71MMBtbxGxJzUGjuNr7YUX0Lc1GOMfo:+dKebgw7hBFxGxJvjaJXecCo

Score
10/10
agentteslacybergatenjratadminafraidbeerftdhackedhalf life 2d helloremoteserversvchost~~1~~2~collectionevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hack9991.hopto.org:1177

Mutex

2ca07b832d8eaedbc7053063c9b11e8b

Attributes
  • reg_key

    2ca07b832d8eaedbc7053063c9b11e8b

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

svchost

C2

king14.duckdns.org:1177

Mutex

91602bde66d8a2627f3507223a646162

Attributes
  • reg_key

    91602bde66d8a2627f3507223a646162

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

~~1~~2~

C2

linkadrum.nl:6969

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Admin

C2

n1313.publicvm.com:6686

Mutex

3e2ba6e27f6c302ca8093546541e02ce

Attributes
  • reg_key

    3e2ba6e27f6c302ca8093546541e02ce

  • splitter

    |'|'|

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

kim2kim.zapto.org:1604

Mutex

7R4L26L8545I71

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    javup.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    techno-techno

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

njrat

Version

0.7d

Botnet

Beer

C2

beercontest.servebeer.com:5552

Mutex

d683b158d2719a9a4dc585645b8e3565

Attributes
  • reg_key

    d683b158d2719a9a4dc585645b8e3565

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

FTD

C2

amon008.duckdns.org:1006

Mutex

6c1567cde2639e7f2e31584fc3be4bb7

Attributes
  • reg_key

    6c1567cde2639e7f2e31584fc3be4bb7

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

hello

C2

drparano.hopto.org:8008

Mutex

c65c4079c6ac73b35a6b0689a27468b3

Attributes
  • reg_key

    c65c4079c6ac73b35a6b0689a27468b3

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

snopi.ddns.net:9100

Mutex

272ff55278454cfa6273bf5d87d871b3

Attributes
  • reg_key

    272ff55278454cfa6273bf5d87d871b3

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7.3

Botnet

afraid

C2

seeme.ignorelist.com:4388

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    1122

Extracted

Family

njrat

Version

0.7d

Botnet

server

C2

vemvemserver.duckdns.org:52132

Mutex

fe7cf1c0b6864c6937e1566af8643f77

Attributes
  • reg_key

    fe7cf1c0b6864c6937e1566af8643f77

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Madest 0.7d

Botnet

Half life 2D

C2

192.168.0.101:1604

Mutex

c4416ab969a200b55a29cdd529368d17

Attributes
  • reg_key

    c4416ab969a200b55a29cdd529368d17

  • splitter

    |'|'|

Targets

    • Target

      019de4dde7e30e6073828ce34fdd9b1da9b1383a413f88c8682d22c5c2a6e87c

    • Size

      60KB

    • MD5

      3f99176532c1d4790694c4dd2394ec1b

    • SHA1

      8bf4b45c5021ab2b623bb3cd9faba5613b5f729b

    • SHA256

      019de4dde7e30e6073828ce34fdd9b1da9b1383a413f88c8682d22c5c2a6e87c

    • SHA512

      99b2d86e962b4e32e0dc5ef3decba61b422a4a3e4bb138b8c311589da9337bbba7bf2e8d4016e75ecd94413b4b184b717a78522e44ef48bbe8d36aa48959f1ef

    • SSDEEP

      1536:1onxjs1dQEUW9hvOa6kkkkCuZkkk34kEk5wbWOj:1onQdsWfvOFkkkkCuZkkk34kEk5wbWOj

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      031dec5767632539f3d0a3529a2f34ebe563fa39571025e410f0c53afe0d1dd7

    • Size

      153KB

    • MD5

      f480895ab32f2e9fa800b609bff3eca9

    • SHA1

      d0cf7123663d03e4496a8ff1a8ae6a7be40fadd8

    • SHA256

      031dec5767632539f3d0a3529a2f34ebe563fa39571025e410f0c53afe0d1dd7

    • SHA512

      0351b36406482f1cdff87d780f98f6f4a376df1135a8788e287fe20bfbf9de4fd249d8ed75cb577b03d29b98d1962f9e992a882599b5dfae15fc6cb22db9747b

    • SSDEEP

      3072:tCijiyvG+aikhLtRmW1DAJGuURN4Kx6DSPMMDCG9qwhg8HH4TT:KV9T5kGuWmKY6ag7HH4TT

    Score
    1/10
    behavioral2

    • Target

      0b354f77531c613d44cdae7d931a59fa55b389ea12c923c3a6c23a338b8418fe

    • Size

      1.2MB

    • MD5

      43146d4f1c1971e6a47860b6e29ab0a6

    • SHA1

      ad1fa7da25532c9a252cd7ca9b114808e138b675

    • SHA256

      0b354f77531c613d44cdae7d931a59fa55b389ea12c923c3a6c23a338b8418fe

    • SHA512

      1ee6b17dbb5e20f8db41b5e83a0c3fe316e56a4124c57469d9686de72b94ed17791a0aa375e0b982d030d08ab6fb78c298273943192b813385af9edad7fc05a0

    • SSDEEP

      24576:EAHnh+eWsN3skA4RV1Hom2KXMmHaX5iYuiKAUjqUY6h4Zy5:Th+ZkldoPK8YaX0YnUe304e

    Score
    10/10
    njratafraidpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      0c9e720cbe54486840aea9b14d48f03298b280c3411838ca2b16a539b5a2c176

    • Size

      23KB

    • MD5

      b44b466c29d4b483b32994df047d4735

    • SHA1

      fb252570ba93e01e6d1bb9d466946a1023e58f37

    • SHA256

      0c9e720cbe54486840aea9b14d48f03298b280c3411838ca2b16a539b5a2c176

    • SHA512

      e4ce3a3317c41c7ffd4862d17906f30f15cf672a3a78d2bf24f0063000b4eb5cd243d2f502e356a8d276d5c03bc005c97e2ce6a43e8069c32383318ed9a8816a

    • SSDEEP

      384:OQeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZPf:p5yBVd7Rpcnuc

    Score
    10/10
    njratevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion
    behavioral4

    • Target

      0f11d0ed81828f4db1408f3becdab8cfc576cd297dff15667817bcac6e0f2d7d

    • Size

      26KB

    • MD5

      44b19c7e0ed188d14984dc62a7765bb5

    • SHA1

      c23601ca6dce9ab266cb1e9fa7a62f5bf19b479f

    • SHA256

      0f11d0ed81828f4db1408f3becdab8cfc576cd297dff15667817bcac6e0f2d7d

    • SHA512

      fd83a9a8b3f7c841e26662fd7dc76d9229872f8b456f767c671d8245764a43f94f4c1280f451a630454e98475e682fda5e0b11485e2996fe3f1a880940522e5b

    • SSDEEP

      768:QoVUpxTbDzgb8Vd8HX4Eu5TWSC9L/vOa:RUHbng8VdNEUWjdvOa

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      16cc703d8257689744e479b98785413eb5220913497443a1c306b25b6695d5cf

    • Size

      562KB

    • MD5

      2638bf5573538231b7c5934c866b37b6

    • SHA1

      4ed574ead65ab1f482a420b372e19a37980a728b

    • SHA256

      16cc703d8257689744e479b98785413eb5220913497443a1c306b25b6695d5cf

    • SHA512

      af1844781ae3f96c52f9097383f21f17c18595926b3250f5ef454307d292b7f6f8fc6ae1efa580a514dec0dc8ec8fdd8749071d685ad996c568619e0da2e9ea8

    • SSDEEP

      12288:iYV6MorX7qzuC3QHO9FQVHPF51jgcQzf4Q41TyMIVqia3:xBXu9HGaVHQyOnVqia3

    Score
    10/10
    njratserverevasionpersistencetrojanupx

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      20d50797f4136d9b07af3b1c79c7c0a266d53c67e61a04c599a8e110f5c150ed

    • Size

      181KB

    • MD5

      1c846c9281998ea2b6c4493e3ccafad6

    • SHA1

      b9e2d989f3b04f2e688b00deb60a81210855a475

    • SHA256

      20d50797f4136d9b07af3b1c79c7c0a266d53c67e61a04c599a8e110f5c150ed

    • SHA512

      78f78da743cd4c77150acf206786e3e9df9528d16b580ef4ddb0bb8c4c515b45383b2e2fcc3cf36aa3ea46e5f352b50c10e2c38901bd0780335f8406df54c6a7

    • SSDEEP

      3072:JLxh9pQs1bgAZtXITCLuuINKgiJeUWSqkWJ3ewgI68d:l9pQukAZs8WKgsjjqkWJy

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      272a091d66f24b6b5c143adce2762035cefcc81f2e12a003938dd15df5fef301

    • Size

      26KB

    • MD5

      825aa844a7cd575b284ca773f955b917

    • SHA1

      acf636e7f9c48b5294fa3665f317d8eed5ea4bba

    • SHA256

      272a091d66f24b6b5c143adce2762035cefcc81f2e12a003938dd15df5fef301

    • SHA512

      4d37bc565f2e553e09f0a35876e967408fb9d3d296cb61d0658e33fd6d1013708d25784888d8ae62a92ec29d13b779b2d912df8af8517f30be238d959f4afb7a

    • SSDEEP

      384:xiN9ccVj9rt0TUnFnRnxud5BseOYN2W8HXVEu59uLS5U/ANpp4DZ4MsKzqN/vyqa:xiZj9vnRnmBskd8HXVEu5TWuEo/vba

    Score
    1/10
    behavioral8

    • Target

      2a525fa3c2513566c892b3f4dcf887513937c0b171d90a51701f723d9add8ceb

    • Size

      1.0MB

    • MD5

      e1b69cc5c5d04772c31c615c49ca0d16

    • SHA1

      26ccebd93c0c89178f521d798792f8ba3a8701e3

    • SHA256

      2a525fa3c2513566c892b3f4dcf887513937c0b171d90a51701f723d9add8ceb

    • SHA512

      618543680cae4cb8008270f9fe8481fdc740ad36f7925bff35f143a3684b3a43059a1d2a89a5e9c43c9e93ed3aa842ccf9bcad3a21f4407fc5772da729d3fa95

    • SSDEEP

      24576:C7hGkTPwXZNFxhDWjMGRtAXaTsW8cQIxXSq1HJzHA:2kX/BDoAXaTEcBhrHO

    Score
    10/10
    njrathalf life 2d evasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      2b12bc6233e5edfbad488f25e37e4ce9195e7242483c0f9df8b40cc57a802fb4

    • Size

      26KB

    • MD5

      123e12288ce1c795ad9e647ed0b47389

    • SHA1

      b71baad18eb5793be4ec04a9e776dc45208459c9

    • SHA256

      2b12bc6233e5edfbad488f25e37e4ce9195e7242483c0f9df8b40cc57a802fb4

    • SHA512

      1f99db822ca9c2521689966bf4b8c7e903a9f57087e36b0e72a33f937d7872dc61d03318aba174491beae1acb70f35d2b24a84ff254e1d72758a8f5e48736bca

    • SSDEEP

      768:MYftj96nRnmYsSkd8HXVEu5TWQAh/vOa:Jknx5sLdQEUWbJvOa

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      3cdd7497cc0402816bf713be028e7ae3c20846bc1717f93bb0b233f9d0731b8c

    • Size

      1.1MB

    • MD5

      b1019d2738781f10a1119928a2c4d297

    • SHA1

      5e133ad888fbb469971670667dd0a6341f374a5d

    • SHA256

      3cdd7497cc0402816bf713be028e7ae3c20846bc1717f93bb0b233f9d0731b8c

    • SHA512

      bb59cb0cddcb4eb50d4ebd67d09a0cc33141d06409014cf6c7db10dbd5067845befd6c598cd9ae8cbbe3394b4dac78ef30896781620c042dd6828bd2deb83de9

    • SSDEEP

      24576:kNA3R5drXpVVkDtgzg6QOJH3tA96ku1h6LId7nT1RMwaMm3CfBomsA:F556tfNOJH9A9Q1h6LIdzTXM76fBoFA

    Score
    10/10
    njrat~~1~~2~evasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      46715abb1e5a7ea1409b29d6fea42c45ce0dfb6c40085a07cab428c78a44a4a1

    • Size

      305KB

    • MD5

      f901b42116f1f8a52cc3abe6d8181135

    • SHA1

      09e6a2744d998d2a9d72c164998a19ba2638c3c6

    • SHA256

      46715abb1e5a7ea1409b29d6fea42c45ce0dfb6c40085a07cab428c78a44a4a1

    • SHA512

      4bae619983e17b077575a6961a94a4d080cebbd44dda1e5369bbcab71d6837dc0e19c95e77fb7c7603db629f580aeab1aeb0dc597168f6ae852c50750cecced1

    • SSDEEP

      3072:o8DHDt6OgDT7a6nhNhQk2+C1Cd40z80epAIRR2/NHIUxNHAunF:o8ft6PoS80KAIW/NHnxyq

    Score
    10/10
    njratadminevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      4f533723524a3b931b1529944809f7c106ab525740b406b35019c63ba68bf620

    • Size

      26KB

    • MD5

      0fa29ef819917c774e1dc3952979b578

    • SHA1

      80a859c0a3b19b2368a0d403782accccb5c37510

    • SHA256

      4f533723524a3b931b1529944809f7c106ab525740b406b35019c63ba68bf620

    • SHA512

      5d74e50970034a6b324cd23c173d726e6f553bf112166881db4f90426d83a5aa056e39b77b2e33bb15c6889d65734ce2c51c26b7d20724595107e610f1cb713d

    • SSDEEP

      384:n2N9ccVj9rt0GUnFnRnxud5OseO/N2W8HXVEu59uLS5U/ANpp4D8TR/ezWKKeN/I:n2Zj9OnRnmOs1d8HXVEu5TWg9cd/v5a

    Score
    1/10
    behavioral13

    • Target

      61aeccd39e0b62b00b416293eacac4715cd31abfd90e8ec3e008114299d23755

    • Size

      243KB

    • MD5

      ae32ad50985a736527dea529bcf7cb88

    • SHA1

      4b242eaafa47d4795f114f6ff38fa56f07b08367

    • SHA256

      61aeccd39e0b62b00b416293eacac4715cd31abfd90e8ec3e008114299d23755

    • SHA512

      abd3fcbc635e96a756c8b32619116bbe52460b8af21ba6c66ddcf24ba695e44a843d7258b8f755681f8057de7744ff263024adc41bb36b3f24db27cad24e21a9

    • SSDEEP

      3072:F9nDgJP9iJRm2gyRsDSkW/ZRaBZq7oyxY6o0/gY4VQeUQzuDprQRwD/OL7tjtSg3:F94Vi/mimD8hEQo16N4tDzuDpWw4jV+W

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      723883566aa12d98076e72c282c79eac4862451a5753115de7626670cdb9592e

    • Size

      140KB

    • MD5

      5f41ec27825870637f45ad2191a5f508

    • SHA1

      5bfcd302134a7e1f71bfc3b09e547d1c0eccbc42

    • SHA256

      723883566aa12d98076e72c282c79eac4862451a5753115de7626670cdb9592e

    • SHA512

      f51d021564eef4a6402f2de10c662217a4ce6059013ad5cdc4bfc2e1483149c7cefad468a98ff2effc84d82d27af04dc61af47e6d8d128cbfdd58d1ce3a625d7

    • SSDEEP

      3072:V92oy8jRQvAfN4+wpVdx/Y79GzbY7SAHHj2Pd8bERYC:V9238jR4/+wpVd+79GzbY7SAHH

    Score
    10/10
    njratevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral15

    • Target

      81bd1e8a3c5b5d1dd26f1047fd16c38872b0d111dca47258eb5ac4920de9fbf3

    • Size

      532KB

    • MD5

      8dde77c7172af0329b5c6dcf9c156e01

    • SHA1

      8877a43edfd725ba14b5327cd581b41da122579b

    • SHA256

      81bd1e8a3c5b5d1dd26f1047fd16c38872b0d111dca47258eb5ac4920de9fbf3

    • SHA512

      fd26f7f0691c81a6ec93aee64b08fbd37cebe002357be4418a9cb7a74a100d18e78a9b83ffbc4dfda26990cfd6bca8210a858f546edfb22b765a1f84a740c105

    • SSDEEP

      12288:pBtnUwcoJ+Zp4YBu57IPFzHlmZpFEl73/sUv8cfskAppoOuMgqM:pznUgupCwTg4l73kU1fF2uM9M

    Score
    10/10
    cybergateremotepersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      868445ea9b47fac6a13bef896bc29ebd2818b4db5d7f039f5642f605cfaf1ad2

    • Size

      55KB

    • MD5

      e31b56ca4bf0ba57e5bf00b5e508d66b

    • SHA1

      3b4f7390aa6fc57d93e84ae5a8efd9ce8ad39bd1

    • SHA256

      868445ea9b47fac6a13bef896bc29ebd2818b4db5d7f039f5642f605cfaf1ad2

    • SHA512

      7524a38b317657a694f36eac688a20ff8836ed136a81607eed546d8c2374c4fe92fff3550c1285cb655f6988fb20580c2b2c010770b4df35b97b9bc97828ee64

    • SSDEEP

      1536:5QbBT6oIhZqvGE1S8AF7vvi7l+hGu+qgGNRcQ:agCHAF7vvi7l+Gu+qgGNeQ

    Score
    10/10
    njratbeerevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      8bbe2d8a2f079bb69e04d1c7fa531503b18888ab4e600adf8deffaf5e06546fc

    • Size

      23KB

    • MD5

      646e5f6050f00f48d3a5e4da887c4637

    • SHA1

      544a840089f459413a499a9b218a646a26a07850

    • SHA256

      8bbe2d8a2f079bb69e04d1c7fa531503b18888ab4e600adf8deffaf5e06546fc

    • SHA512

      18af74f38aed53be96835622910678868a8658df94f7ac0b2f68b259f42148981c207c18dbf05b7fcf2daf0e0bb1384b0fd6fb45c551250d14f60f119f3a2c7f

    • SSDEEP

      384:axQeCo2zmZbQHkJeCdUwBvQ61gjuQBnBBmRvR6JZlbw8hqIusZzZjA:L5yBVd/RpcnuX

    Score
    10/10
    njratsvchostevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      8f281f244678bdb8b576b47e1e080a25545e7582d9fa0ec632bad9d6aecb66c1

    • Size

      565KB

    • MD5

      d541b892eb55ee1ba1799b0d88e6f434

    • SHA1

      9d3ee47acbb4d0e21a16d1ad44284cc68798e183

    • SHA256

      8f281f244678bdb8b576b47e1e080a25545e7582d9fa0ec632bad9d6aecb66c1

    • SHA512

      075947fb4efbcd2fbcfa80303725f6b8079ad45b5b7c42ea77280c3199802208ad00a02b975c48eb0c2d0216ef1469bcc2041476896c75ded794c05801cc0fa4

    • SSDEEP

      6144:CvSkhTRNb+d/hiAg7+v23dWA6K1CFebhmqgSFA3lLBe+m5vjTNeUu:CvSQTRNb+d/hiAK+Oz

    Score
    10/10
    njratftdevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      976844572297f3ba46bd69aa33e3902e99304d1ac14541a9aa20de229d5c9d3e

    • Size

      3.1MB

    • MD5

      f0a1857883b161815bbcb4ea9a4e5f43

    • SHA1

      497435d34fb7372e6d5b0120d0f81f991e5b26c5

    • SHA256

      976844572297f3ba46bd69aa33e3902e99304d1ac14541a9aa20de229d5c9d3e

    • SHA512

      322166ce814773ced2e5278630bc3c483c4875e5c93027885158a62f5e06b7eb855b52502c183525d88f93abfdcd46a12a9f6d3b628c0a975bdcb55bf2f47e44

    • SSDEEP

      98304:v0i4okTcxnPG1q0hQTib4A+mSzNuaROUhNKa:/4tTcxmh8bPpUUXKa

    Score
    10/10
    njrathackedhelloevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      9ba12e7aa6b8b26adcd3f080017f612e97d7c1a7f8490af3706f22672a34e696

    • Size

      26KB

    • MD5

      6a5191c609d7b3865b42ebcbbc86dcf5

    • SHA1

      1a4059454de0f9ade7315ed205a0d4fe0e606e4c

    • SHA256

      9ba12e7aa6b8b26adcd3f080017f612e97d7c1a7f8490af3706f22672a34e696

    • SHA512

      665a504db6ddc2831703802090690d13d6e6abbbbbd15613e4b1debbaf5005b5b795c55687b81b24c6b6e39f1b74222ba9c4e7021e07fdbd58467301abc46d8e

    • SSDEEP

      768:uL6s0JV0T8QeUSq+ZYFcd8HXVEu5TWc+/vOa:u6sNTYUnAJdQEUWVvOa

    Score
    1/10
    behavioral21

    • Target

      a2a3382336cc42c850a9608ce323ac8ce0ee878c7a33b4f2efa6ec7dc182e799

    • Size

      1.2MB

    • MD5

      36e5cf996b1c720dd144edaa10f6984d

    • SHA1

      4e88ffefff2f478ac189aa107ff5fe98608e927e

    • SHA256

      a2a3382336cc42c850a9608ce323ac8ce0ee878c7a33b4f2efa6ec7dc182e799

    • SHA512

      2d9b1db5ce863652ab91eeff6796b841841f683b6dde74ed93bbca54e86ae9b3ed6f6e7dcd4248b6916b1126380e2e425d53a131c1bdef989369b8e9d0dd3484

    • SSDEEP

      24576:9NA3R5drX4iwDCooy/9i7ek8G+Tx7iu1h6LId7nT1RMwaMm3CfBomY:I5OD//4kPxR1h6LIdzTXM76fBov

    Score
    10/10
    njrat~~1~~2~evasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

2
T1064

Persistence

Create or Modify System Process

14
T1543

Windows Service

14
T1543.003

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

16
T1547.001

Privilege Escalation

Create or Modify System Process

14
T1543

Windows Service

14
T1543.003

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

16
T1547.001

Defense Evasion

Modify Registry

18
T1112

Scripting

2
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

System Information Discovery

10
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

hackedupxsvchostnjrat
Score
10/10

behavioral1

evasionpersistence
Score
8/10

behavioral2

Score
1/10

behavioral3

njratafraidpersistencetrojan
Score
10/10

behavioral4

njratevasiontrojan
Score
10/10

behavioral5

evasionpersistence
Score
8/10

behavioral6

njratserverevasionpersistencetrojanupx
Score
10/10

behavioral7

persistence
Score
6/10

behavioral8

Score
1/10

behavioral9

njrathalf life 2d evasionpersistencetrojan
Score
10/10

behavioral10

evasionpersistence
Score
8/10

behavioral11

njrat~~1~~2~evasionpersistencetrojan
Score
10/10

behavioral12

njratadminevasiontrojan
Score
10/10

behavioral13

Score
1/10

behavioral14

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral15

njratevasiontrojan
Score
10/10

behavioral16

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral17

njratbeerevasionpersistencetrojan
Score
10/10

behavioral18

njratsvchostevasionpersistencetrojan
Score
10/10

behavioral19

njratftdevasionpersistencetrojan
Score
10/10

behavioral20

njrathackedhelloevasionpersistencetrojan
Score
10/10

behavioral21

Score
1/10

behavioral22

njrat~~1~~2~evasionpersistencetrojan
Score
10/10