General
-
Target
winloker builder 2.0.exe
-
Size
37KB
-
Sample
240218-lkh6qagh52
-
MD5
91fcb1cea2f6c84da3c9622a070b7c4f
-
SHA1
32fc093c2041e540ac41d2d0278a1ffb6a589dbd
-
SHA256
c97418800bfc03f8f719b7924aa490cec520d2fd24266186b7b65fd86b3ebd6a
-
SHA512
d7f46cdc20a4a01109971fb0135ea0a8d8fa763f2699c11bdbf5629c35818b49eef7615d982f5b1cb7edc240f3d6896e8d9864ab240747fc6c63a4c77f66790d
-
SSDEEP
384:AU/KMizdLjnBhFbJ8ycP3hXZIwaihMrAF+rMRTyN/0L+EcoinblneHQM3epzXW3o://gLlLJfcP3hyNiOrM+rMRa8NuY4t
Malware Config
Extracted
njrat
im523
hack
4.tcp.eu.ngrok.io:16090
8b89dad6c018b3abd5aab0539a99437c
-
reg_key
8b89dad6c018b3abd5aab0539a99437c
-
splitter
|'|'|
Targets
-
-
Target
winloker builder 2.0.exe
-
Size
37KB
-
MD5
91fcb1cea2f6c84da3c9622a070b7c4f
-
SHA1
32fc093c2041e540ac41d2d0278a1ffb6a589dbd
-
SHA256
c97418800bfc03f8f719b7924aa490cec520d2fd24266186b7b65fd86b3ebd6a
-
SHA512
d7f46cdc20a4a01109971fb0135ea0a8d8fa763f2699c11bdbf5629c35818b49eef7615d982f5b1cb7edc240f3d6896e8d9864ab240747fc6c63a4c77f66790d
-
SSDEEP
384:AU/KMizdLjnBhFbJ8ycP3hXZIwaihMrAF+rMRTyN/0L+EcoinblneHQM3epzXW3o://gLlLJfcP3hyNiOrM+rMRa8NuY4t
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1