Overview

overview

10

Static

static

3

Net amp.exe

windows7-x64

10

Net amp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Net amp.EXE

  • Size

    7.1MB

  • Sample

    231218-xzemmaegf6

  • MD5

    523f1694af7ecfe6cf06b0db19cce834

  • SHA1

    da8bd2e5656f40d183b5f1c263a3e121fe63454f

  • SHA256

    b79a1275b2ea72d2c67cf5377241ab159d2f5dd523f811196c16d50f4e65cf5c

  • SHA512

    1c3c20e71c7f57e012025aa2d2e68f3e3fca46f7d092b736dd91ce5d2324436e25f6b409952561cef853fd92ab57deabefbd6161fbaf5cbe2151861711afaa45

  • SSDEEP

    98304:b3ccU6R7ReNhraV5eKRtHIHWQOSxjDJWxfBQPEtJ8PRmzqopxDYtBRayyajln2HG:TK6lwNhmO0YoGjDi+a7DsjlSPPni2zE

Score
10/10
agentteslanjrathackedmybotsamodaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

samoda

C2

16.ip.gl.ply.gg:3958

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

127.0.0.1:6522

Mutex

08b95e8031023f327813eef69063752a

Attributes
  • reg_key

    08b95e8031023f327813eef69063752a

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

165d6ed988ac1dbec1627a1ca9899d84

Attributes
  • reg_key

    165d6ed988ac1dbec1627a1ca9899d84

  • splitter

    |'|'|

Targets

    • Target

      Net amp.EXE

    • Size

      7.1MB

    • MD5

      523f1694af7ecfe6cf06b0db19cce834

    • SHA1

      da8bd2e5656f40d183b5f1c263a3e121fe63454f

    • SHA256

      b79a1275b2ea72d2c67cf5377241ab159d2f5dd523f811196c16d50f4e65cf5c

    • SHA512

      1c3c20e71c7f57e012025aa2d2e68f3e3fca46f7d092b736dd91ce5d2324436e25f6b409952561cef853fd92ab57deabefbd6161fbaf5cbe2151861711afaa45

    • SSDEEP

      98304:b3ccU6R7ReNhraV5eKRtHIHWQOSxjDJWxfBQPEtJ8PRmzqopxDYtBRayyajln2HG:TK6lwNhmO0YoGjDi+a7DsjlSPPni2zE

    Score
    10/10
    njratsamodapersistencetrojanagentteslahackedmybotevasionkeyloggerspywarestealer

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • AgentTesla payload

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks