Analysis

  • max time kernel
    160s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2024, 04:01

General

  • Target

    8b5861dc1c5772a6512aef0fa0761956.exe

  • Size

    5.7MB

  • MD5

    8b5861dc1c5772a6512aef0fa0761956

  • SHA1

    dcebd52e16bba1ac7ddceb29d524143b25c568e5

  • SHA256

    a22dbc7aab26757e26cc2c626b54a62ab425cbe19fe202fb8b7f70e2b5d64082

  • SHA512

    bdb24999f68786633b50cee878ddf5f852ea5fa38aa1ba750c00b296c91253b78ccf74540ccded36b281eb51dede60916120e88c59afcd310076b4fdb6db2968

  • SSDEEP

    98304:EfaCOBF2ChX5cFY2jh2nu/MCxFAkS2EWbDeqa9Q80jQt0ehfMRYFanpAuARQEsRk:manBFJO8O2rnyeF/0jC0elIp3cppxX

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

566

C2

192.168.0.23:1604

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b5861dc1c5772a6512aef0fa0761956.exe
    "C:\Users\Admin\AppData\Local\Temp\8b5861dc1c5772a6512aef0fa0761956.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1180

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1180-0-0x0000000000300000-0x000000000119C000-memory.dmp

          Filesize

          14.6MB

        • memory/1180-1-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-2-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-3-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-4-0x0000000075E90000-0x0000000075ED7000-memory.dmp

          Filesize

          284KB

        • memory/1180-5-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-6-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-7-0x0000000075E90000-0x0000000075ED7000-memory.dmp

          Filesize

          284KB

        • memory/1180-8-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-14-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-17-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-16-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-15-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-13-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-19-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-21-0x0000000077A70000-0x0000000077A72000-memory.dmp

          Filesize

          8KB

        • memory/1180-20-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-18-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-11-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-22-0x0000000000300000-0x000000000119C000-memory.dmp

          Filesize

          14.6MB

        • memory/1180-23-0x0000000000300000-0x000000000119C000-memory.dmp

          Filesize

          14.6MB

        • memory/1180-26-0x0000000000300000-0x000000000119C000-memory.dmp

          Filesize

          14.6MB

        • memory/1180-28-0x0000000075E90000-0x0000000075ED7000-memory.dmp

          Filesize

          284KB

        • memory/1180-29-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-30-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-31-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-32-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB

        • memory/1180-33-0x0000000076040000-0x0000000076150000-memory.dmp

          Filesize

          1.1MB