Overview

overview

10

Static

static

10

Nexus.exe

windows7-x64

10

Nexus.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2023 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nexus.exe

  • Size

    37KB

  • MD5

    61bd0fa2e9ebe3b4d414addcc8f5d63a

  • SHA1

    6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

  • SHA256

    0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

  • SHA512

    460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

  • SSDEEP

    384:GLU1ehaNitJFbOn0aH2ykr64v1Zmz/UBorAF+rMRTyN/0L+EcoinblneHQM3epzR:11/KNWtkr64NgbU2rM+rMRa8NuA1kt

Score
10/10
njratmastur bistevasiontrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

MASTUR BIST

C2

4.tcp.eu.ngrok.io:11745

Mutex

72e8f6d7acdae0089da4f2a44787bd9e

Attributes
  • reg_key

    72e8f6d7acdae0089da4f2a44787bd9e

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nexus.exe
    "C:\Users\Admin\AppData\Local\Temp\Nexus.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Roaming\Rutnime.exe
      "C:\Users\Admin\AppData\Roaming\Rutnime.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Rutnime.exe" "Rutnime.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Rutnime.exe
    Filesize

    37KB

    MD5

    61bd0fa2e9ebe3b4d414addcc8f5d63a

    SHA1

    6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

    SHA256

    0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

    SHA512

    460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Rutnime.exe
    Filesize

    37KB

    MD5

    61bd0fa2e9ebe3b4d414addcc8f5d63a

    SHA1

    6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

    SHA256

    0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

    SHA512

    460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

    Download Submit

  • \Users\Admin\AppData\Roaming\Rutnime.exe
    Filesize

    37KB

    MD5

    61bd0fa2e9ebe3b4d414addcc8f5d63a

    SHA1

    6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

    SHA256

    0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

    SHA512

    460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

    Download Submit

  • memory/1508-11-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1508-12-0x0000000000BC0000-0x0000000000C00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1508-13-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1508-14-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1508-15-0x0000000000BC0000-0x0000000000C00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2124-0-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2124-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2124-2-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2124-10-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

    Download