Analysis

  • max time kernel
    161s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 04:01

General

  • Target

    8b5861dc1c5772a6512aef0fa0761956.exe

  • Size

    5.7MB

  • MD5

    8b5861dc1c5772a6512aef0fa0761956

  • SHA1

    dcebd52e16bba1ac7ddceb29d524143b25c568e5

  • SHA256

    a22dbc7aab26757e26cc2c626b54a62ab425cbe19fe202fb8b7f70e2b5d64082

  • SHA512

    bdb24999f68786633b50cee878ddf5f852ea5fa38aa1ba750c00b296c91253b78ccf74540ccded36b281eb51dede60916120e88c59afcd310076b4fdb6db2968

  • SSDEEP

    98304:EfaCOBF2ChX5cFY2jh2nu/MCxFAkS2EWbDeqa9Q80jQt0ehfMRYFanpAuARQEsRk:manBFJO8O2rnyeF/0jC0elIp3cppxX

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

566

C2

192.168.0.23:1604

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b5861dc1c5772a6512aef0fa0761956.exe
    "C:\Users\Admin\AppData\Local\Temp\8b5861dc1c5772a6512aef0fa0761956.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1468

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1468-0-0x0000000000380000-0x000000000121C000-memory.dmp

          Filesize

          14.6MB

        • memory/1468-1-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-3-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-5-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-6-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-4-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-2-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-8-0x0000000077AB4000-0x0000000077AB6000-memory.dmp

          Filesize

          8KB

        • memory/1468-11-0x0000000000380000-0x000000000121C000-memory.dmp

          Filesize

          14.6MB

        • memory/1468-12-0x0000000000380000-0x000000000121C000-memory.dmp

          Filesize

          14.6MB

        • memory/1468-13-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

          Filesize

          624KB

        • memory/1468-14-0x0000000006390000-0x0000000006934000-memory.dmp

          Filesize

          5.6MB

        • memory/1468-15-0x0000000005EF0000-0x0000000005F82000-memory.dmp

          Filesize

          584KB

        • memory/1468-17-0x0000000005E50000-0x0000000005E5A000-memory.dmp

          Filesize

          40KB

        • memory/1468-19-0x0000000000380000-0x000000000121C000-memory.dmp

          Filesize

          14.6MB

        • memory/1468-20-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-21-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-22-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB

        • memory/1468-24-0x0000000076320000-0x0000000076410000-memory.dmp

          Filesize

          960KB