Overview

overview

10

Static

static

3

baa13ad4c9...c4.exe

windows7-x64

10

baa13ad4c9...c4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4

  • Size

    1.4MB

  • Sample

    240205-shk1vscgbq

  • MD5

    a4f8a32f1927d1bf93fbc814883063a3

  • SHA1

    041cce3c1e69f77923154b9f9be9c09a38ae2515

  • SHA256

    baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4

  • SHA512

    a766149f0a9e570a6a577855455964bba47a83f2b3cbf1689727dceb8b9e34fc8658ed656e2b8b2446042908e9af24fe0e236f9cecd4b03d339293d633cef6b9

  • SSDEEP

    24576:qxLsMs8WdUS8vyooy7U2H55KnzRfnVQF8IqKLu/9ASfb3vXCFK9pYEm1Ap3U:usldsvyoXfHPKl/9Ij+9bqFK9pDm16E

Score
10/10
njrathackevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hack

C2

hakim32.ddns.net:2000

0.tcp.jp.ngrok.io:17616
Mutex

0d8147ccf1c17062afe1aa53b667a274

Attributes
  • reg_key

    0d8147ccf1c17062afe1aa53b667a274

  • splitter

    |'|'|

Targets

    • Target

      baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4

    • Size

      1.4MB

    • MD5

      a4f8a32f1927d1bf93fbc814883063a3

    • SHA1

      041cce3c1e69f77923154b9f9be9c09a38ae2515

    • SHA256

      baa13ad4c9d7ba4f03915385de91c623e63c677a363a1dd2acb2d6f119b8adc4

    • SHA512

      a766149f0a9e570a6a577855455964bba47a83f2b3cbf1689727dceb8b9e34fc8658ed656e2b8b2446042908e9af24fe0e236f9cecd4b03d339293d633cef6b9

    • SSDEEP

      24576:qxLsMs8WdUS8vyooy7U2H55KnzRfnVQF8IqKLu/9ASfb3vXCFK9pYEm1Ap3U:usldsvyoXfHPKl/9Ij+9bqFK9pDm16E

    Score
    10/10
    njrathackevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks