Overview

overview

10

Static

static

3

Playit.exe

windows7-x64

10

Playit.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Playit.exe

  • Size

    2.6MB

  • Sample

    240221-mr8kmaef47

  • MD5

    9d98697b2af7681c1329b51129225190

  • SHA1

    4d4afe3e2a20c6dce5087eb2a1d56328d81ae3c4

  • SHA256

    678b0dff4f92352a4840f753bb67b8330ab9121863190018d74eabf2a5989a3e

  • SHA512

    37d969f1cb291f1fcbd1d0921cd47d9fc1adee650006206f10c9e9ca756bb619fae4daa28f8f258d607f110f53d3d6db4ccc115800700ec2e388a5a61928545c

  • SSDEEP

    49152:Dg6p5g285i+lKwfpHEShZKtFCSuAhqxT754nsrU1lWxnHaB7oFu:ppKxXpHRZKtFCwAxTtKjWx6h

Score
10/10
njratorcusytыфыапevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

orcus

Botnet

YT

C2

37.115.42.57:12332

Mutex

53742fd548414cf39dbee531c112f4aa

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Nvidia\ms_edge.exe

  • reconnect_delay

    10000

  • registry_keyname

    Microsoft Experience Manager

  • taskscheduler_taskname

    Microsoft Update Health

  • watchdog_path

    Temp\EdgeControll.exe

Extracted

Family

njrat

Version

im523

Botnet

ыфыап

C2

37.115.42.57:12332

Mutex

bbc39b70f5feae23b24edc38bd8b57d8

Attributes
  • reg_key

    bbc39b70f5feae23b24edc38bd8b57d8

  • splitter

    |'|'|

Targets

    • Target

      Playit.exe

    • Size

      2.6MB

    • MD5

      9d98697b2af7681c1329b51129225190

    • SHA1

      4d4afe3e2a20c6dce5087eb2a1d56328d81ae3c4

    • SHA256

      678b0dff4f92352a4840f753bb67b8330ab9121863190018d74eabf2a5989a3e

    • SHA512

      37d969f1cb291f1fcbd1d0921cd47d9fc1adee650006206f10c9e9ca756bb619fae4daa28f8f258d607f110f53d3d6db4ccc115800700ec2e388a5a61928545c

    • SSDEEP

      49152:Dg6p5g285i+lKwfpHEShZKtFCSuAhqxT754nsrU1lWxnHaB7oFu:ppKxXpHRZKtFCwAxTtKjWx6h

    Score
    10/10
    njratorcusytыфыапevasionpersistenceratspywarestealertrojan

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Orcurs Rat Executable

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks