Resubmissions

17-02-2024 16:51

240217-vc7zjshd22 10

17-02-2024 16:36

240217-t4m8sahc42 10

General

  • Target

    Soundcloud Mp3 Downloader.exe

  • Size

    34KB

  • Sample

    240217-vc7zjshd22

  • MD5

    10ca22a332f6acefb21a957e09e30608

  • SHA1

    a048ee36ef2ba5dc9b676ba815df68b6d6188f60

  • SHA256

    79f0aeca1d115dc298f302ad91b1762f3ef6aefe16b13f269aa6d211def3ff38

  • SHA512

    4c751bc0923eed5f33bee95c706253704a40f838a45de7b35a34f3c330af399e98e37ed3c0f7c5d0a9333a911207e3ed5589b099838ffac2c029b86bc8441a91

  • SSDEEP

    384:ZtZNYkRM94IIWsi7omXh2JfNFPIMeTuSblDTodg9TduS/EIGsJjwE7UMcrie48eC:nDSOComanqlouDuCEIGfRn+fw

Malware Config

Extracted

Family

njrat

Version

0.9d

Botnet

Hacked By HiDDen PerSOn

C2

0.tcp.eu.ngrok.io:10540

Mutex

eb79d2041d670825ab1270eb43a4aa92

Attributes
  • reg_key

    eb79d2041d670825ab1270eb43a4aa92

  • splitter

    |Vyrn|

Targets

    • Target

      Soundcloud Mp3 Downloader.exe

    • Size

      34KB

    • MD5

      10ca22a332f6acefb21a957e09e30608

    • SHA1

      a048ee36ef2ba5dc9b676ba815df68b6d6188f60

    • SHA256

      79f0aeca1d115dc298f302ad91b1762f3ef6aefe16b13f269aa6d211def3ff38

    • SHA512

      4c751bc0923eed5f33bee95c706253704a40f838a45de7b35a34f3c330af399e98e37ed3c0f7c5d0a9333a911207e3ed5589b099838ffac2c029b86bc8441a91

    • SSDEEP

      384:ZtZNYkRM94IIWsi7omXh2JfNFPIMeTuSblDTodg9TduS/EIGsJjwE7UMcrie48eC:nDSOComanqlouDuCEIGfRn+fw

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks