Overview

overview

10

Static

static

10

WindowsChecker.exe

windows7-x64

10

WindowsChecker.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WindowsChecker.exe

  • Size

    93KB

  • Sample

    231209-xck6wsbec4

  • MD5

    e31757c7380cb78282766dd25d120ee3

  • SHA1

    7bab9ed4cefbe3453bd5a93bae61f06070ba0a53

  • SHA256

    b05aa05f17e8f1e446db95e429cef7c5c5ba3c22eebcc34b2211bd165533f462

  • SHA512

    48dc620f8f2038b529929ca5c5367e128d73e7cbeda45c4a354d67c828f444b905e00a3d99b5199c2fc4dcdef9a307aff49b33034e7a3b20a79d4dd6a32d1e54

  • SSDEEP

    1536:h6G1GkeUqZJO53NSimjEwzGi1dDSDDgS:h6hUqZJOpAOi1dU8

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

185.150.26.249:5552
Mutex

c1c9e1b447681be038421a0917214a66

Attributes
  • reg_key

    c1c9e1b447681be038421a0917214a66

  • splitter

    |'|'|

Targets

    • Target

      WindowsChecker.exe

    • Size

      93KB

    • MD5

      e31757c7380cb78282766dd25d120ee3

    • SHA1

      7bab9ed4cefbe3453bd5a93bae61f06070ba0a53

    • SHA256

      b05aa05f17e8f1e446db95e429cef7c5c5ba3c22eebcc34b2211bd165533f462

    • SHA512

      48dc620f8f2038b529929ca5c5367e128d73e7cbeda45c4a354d67c828f444b905e00a3d99b5199c2fc4dcdef9a307aff49b33034e7a3b20a79d4dd6a32d1e54

    • SSDEEP

      1536:h6G1GkeUqZJO53NSimjEwzGi1dDSDDgS:h6hUqZJOpAOi1dU8

    Score
    10/10
    njrathackedevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks