General
-
Target
New folder (24).rar
-
Size
3.2MB
-
Sample
240219-svcj9afa96
-
MD5
7aeba3951ebb66141862ae3abd9058d2
-
SHA1
4f61ff5c388eb21ee5b88b62ef9cd1915402441a
-
SHA256
787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d
-
SHA512
9c9b1721278a8741d4e25037a08ffae7695c176369226c88bfeafbb264e5dece85b137806557d7a2f82907487cf7d6bf9c4d8be3e625ece471bffa2236766803
-
SSDEEP
98304:Ob0+GeKSHtk71nX8OnZdh7h0GEOTsIIWFq7:OQ9eKZ7psOZfmvKs4q7
Malware Config
Extracted
njrat
0.7d
Lammer
8.tcp.ngrok.io:19346
bca7344ec33c4f045ea133b6b48694e2
-
reg_key
bca7344ec33c4f045ea133b6b48694e2
-
splitter
|'|'|
Targets
-
-
Target
anhezkzllnds.exe
-
Size
772KB
-
MD5
d17aa4b3341d78c4a242afdf5a87285d
-
SHA1
fda2f7e9e126dbecc3d43b06f71753b7994d3dbb
-
SHA256
ca6737b1037065306f3828753ffc1ed1bdb0acd03d95cef88a2ae1872bfcbb0c
-
SHA512
de2eab87b8d49c06e5bbe2baccf44c0e92eb7bd6e3c1971bb6c58e6ea6c2ae9b2f51158cb1d75635adbe96c063828aaab00b884a37f7843193f0d1943c551fa8
-
SSDEEP
12288:S3oEPFPgcKEBRlkQcPVle8c8xTCSqfU6XhhdeXZmThqMwRxwkNfM3q9RNIwo:ShSch8xTSfThd5ThUNN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
bghfldfyngmg.exe
-
Size
771KB
-
MD5
8f6f752bd6c2864a77de0ed3cc029175
-
SHA1
e9f586a747ba7e785e919c30d763465d4f46381e
-
SHA256
a7d260cd80149aa4968e8417c4f33488c99d0bcb234c24517da135328cd305d8
-
SHA512
18d1051eb2957849b9d6bd24e238c69d60159f0f76b30426e3efe99294c7d078edbf57fc5f69099924880c0222625cb180c11950f7da38b4f67dc32775ba1c18
-
SSDEEP
12288:PiJVkPVle809qfff+bdlqfPNfM3q9RNIwo:Pw3qfff+bdlqfPN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
jldfefkrpayl.exe
-
Size
778KB
-
MD5
4bb30012aaf74f260f455c79615cac5d
-
SHA1
eeb77e509d86bdac5325c1152bf9c89d6b16bec2
-
SHA256
686e4b531fb9f5d3db659a5a410e5450ced562758d8a85754cb0b4f0bc3469c1
-
SHA512
469ec5b3f19e6e81cc6325fd53519de3884e09bd9b0bdd25ae948b6cf974aa1e7abeaf12d767cdff2d873bcaf7233dfddbf029bdfe19639ff1a3433a91e64f4d
-
SSDEEP
12288:71UpeAQXl+jmPVle82J+IBXEhZPNNBZuNfM3q9RNIwo:7qeVXlsXUI1EhZlNyN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
molbfgsxjpwv.exe
-
Size
764KB
-
MD5
3943e12f7f33ccff610fbad61defc66f
-
SHA1
b893d92e017997f411cfcda76425cc42ddd5405f
-
SHA256
22f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b
-
SHA512
4d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3
-
SSDEEP
12288:gfQQEGPVle8phMeVUF5nqLL7fNfM3q9RNIwo:gr3+F5nqTN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
msxsbkvjyoho.exe
-
Size
769KB
-
MD5
0f6650adff096ba42febd82cbc3a64fe
-
SHA1
7673c6646eb405a25df0751fbd00fb83fe303585
-
SHA256
a35331e95e0329556d7b0e88d2573a12db668314ee1326a1f23c01a427abdc66
-
SHA512
072b0ec2cc7342b58ea142fc3615e71bbb28219b55ee34d24d1b76d62f75c499dc457efdd75c6f5e71bb3807f275599f2e988ef836f45d45f035e59f3a682950
-
SSDEEP
12288:9yl3GIPVle8AlSCtbIs1WLKc049GNfM3q9RNIwo:9LdlSSIs1WHL9GN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
oboekjkdross.exe
-
Size
799KB
-
MD5
4220d4a32781415bf36e0e159fd38ce1
-
SHA1
832933a30b0833e805f02af041cd787f3169f7d9
-
SHA256
e6b63cd513768974b5415cd8d65e2344f2064f5eed7002c9b58c52b92435c124
-
SHA512
a18e173b375586a1c38cdeac9e4d4d57d07c484fd0a94d853ae5b63e20a3abfbd281fc8f1c89f8c1ea548cd43bde7c6bc3b08a095f7d5c8dd06f46d2640942ed
-
SSDEEP
12288:VZCDjstPVle8oyXeViFmvVsr9puiCNfM3q9RNIwo:V0DjOuYFwV4aN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
puugtqapzxao.exe
-
Size
769KB
-
MD5
0b8d6a7e6d09d1ef259d04a5580a5138
-
SHA1
34beda8270e99335cfd90907f5037250c8fa682e
-
SHA256
9b49cb61c6998d160a3fd448926df1f08277866e62999223ee7bc1455e023ad8
-
SHA512
be6bdef101cdf04f21dd9ddf1166866510b8a1b31ce08b4c962a8fb678f68864c54f729be53c22daaae8b1f6f643f5607fb5a882810f142152a78a016ccb4df5
-
SSDEEP
12288:sunmOayKUGPPVle8m4Ou1bypH3etxcvj8NfM3q9RNIwo:smayKg4OuC3iN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
pyaxlaetvdvq.exe
-
Size
775KB
-
MD5
07d526239f87f95f7c4f07ccde655bb2
-
SHA1
df48aba935e3dfca8307285a8a238a0bfea0284a
-
SHA256
e76c59a509558ab890d91ce3cb15d258bf02744761afe3890288159ae7a10750
-
SHA512
8f23f6d91b9dbfaf280411c560265f50b1bda2068c0b00deee6cf224118218db56d00fbf8a5af2d18ea64737dded682d9d10d2134544d91b14845e623d5453c4
-
SSDEEP
12288:EYCpJrenYPVle8cswhDMW86DVjG+gmNfM3q9RNIwo:EYCXQX1Ax6D3N03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
qywfpvbxbvih.exe
-
Size
763KB
-
MD5
7487d47ee73f83579acea7333014b9eb
-
SHA1
d5826d492bf720306fbdab1d83047d3c8ee2c7cf
-
SHA256
4d33372e2991bc62a668eb682bb840fd6b02b95213ea849195e3fc688208379d
-
SHA512
5c45641e9e4c56653212bd6325163202c842c031c9a2d7843fffd7e6283c8b095843469a83a1ddef488df0c8aead269a4e64e7190be9874a884a33728555d08c
-
SSDEEP
12288:9yYV6aHOa4biYPVle8G3dNi4wixQQsGeOCxNfM3q9RNIwo:9FDunbil3dNi47QjN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
ylyxcgqrxdhu.exe
-
Size
788KB
-
MD5
365077f348eecbc3107a2d6369d0141d
-
SHA1
6e29c1548ab75abae1f9e0761696901a3a345301
-
SHA256
b7c427180dec2c80489a11a9834ba13701a480889b25c13e9180b31ded039ec8
-
SHA512
8783c1b13d3128ed706559c5343fb641dbfdb26c80e33376079b94809e5c48ea40b15ff6cff247efeb3084e6846bcc03473185f1d43fa51fe8bb64fe1fe0f017
-
SSDEEP
12288:Hg3l6y0Wu/JX+opql2PVle8c3jyd74afRHBBLAAs/NfM3q9RNIwo:HE6Hcvjyd74oRHBdAfN03qD
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
30Registry Run Keys / Startup Folder
20Winlogon Helper DLL
10Create or Modify System Process
20Windows Service
20Privilege Escalation
Boot or Logon Autostart Execution
30Registry Run Keys / Startup Folder
20Winlogon Helper DLL
10Create or Modify System Process
20Windows Service
20Abuse Elevation Control Mechanism
10Bypass User Account Control
10