Overview

overview

10

Static

static

3

NL Hybrid.exe

windows10-2004-x64

8

NL Hybrid.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NLHybrid.rar

  • Size

    4.5MB

  • Sample

    231110-d9ssfsag4s

  • MD5

    920a18547758906ad2c91fe900b346d8

  • SHA1

    c6d1e12e684553034fed9892856531f24b41e4ad

  • SHA256

    6876e647529d14ec1bcb0f86cbcb5e56f2ea452b3c559becba66309bbc5af3f0

  • SHA512

    a5ea91015d8e2189b4b1adb43f0dc317304731ee5b5667704657492b718d509c15f109b3123f3ee2abe847c3690a6fef14af23d2f6277c14842f6f34f8442197

  • SSDEEP

    98304:z+Oi7bbWyiTa6nOOBpuFLflyd4L8b1IzT8fDTsaMaVxOk98e8b3N:zK7bbWlTmOB+7lBO1IMfHsafak+N

Score
10/10
badrabbitmimikatzbootkitpersistenceransomware

Malware Config

Targets

    • Target

      NL Hybrid.dll

    • Size

      4.6MB

    • MD5

      9919c732de9be51b26277eb2a56d1050

    • SHA1

      52f3cd72659c7f1bbca70e7e5f1c242ace3167d5

    • SHA256

      15f6bf413abc71a741a013fd819737c0235f88139ab4caaf216c1882208a50c8

    • SHA512

      d189ce6726b74edf9dda0020af8c6b090ff86c27b02ae2f12123c63270a7a4c9418ad6304112ee45157f208204a038cf5b2eae4549cc535489b3494931418d59

    • SSDEEP

      98304:BXaNRs0fX+Gv5mC94AWGT31VCOrPsVW/+tnTXvC1dcP8rmB5Oa5:BXAfOSmC9H1HrPcXK1mkr

    Score
    8/10
    bootkitpersistence

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1

    • Target

      NL Hybrid.exe

    • Size

      158KB

    • MD5

      0fa83a445d50d69045d6e2c8aceb547d

    • SHA1

      2592e9be8e0bc0fe3e9b9676dcf610be63927c1b

    • SHA256

      61e90602c49bf8ddcfa50cfce46e59b5d9e1b47d090eeba2dec03f375beb13e1

    • SHA512

      99173e08397ed028bb333ff627b7cf411fba3e8f83765416b7f09349d8da4ce399d9d6e82af78455b18dbe55343c5be006f50aa06d005e7e0200b11746131e35

    • SSDEEP

      3072:/85ydfdBq4jk5IK2I+lwVexZuCN/R08DRFcp3l/Bqfnq0O:/o9IKDCCGR0QFcz/sfq0

    Score
    10/10
    badrabbitmimikatzransomware

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks