Resubmissions

23-02-2024 22:08

240223-12hnvaaa33 10

23-02-2024 15:33

240223-szl99acc54 10

23-02-2024 15:28

240223-swtvxsdb3t 10

23-02-2024 15:18

240223-sp3jgsbh74 10

23-02-2024 15:10

240223-skddssbg69 10

23-02-2024 15:03

240223-se8mracf31 10

General

  • Target

    elol.exe

  • Size

    214KB

  • Sample

    240223-skddssbg69

  • MD5

    faba0d141987f243c5996bacbde9c24a

  • SHA1

    5059d4e64df99075da4b0dd75290ae0d504ef2d6

  • SHA256

    5dae1887c9219823ef4465936e5b45137132eb48fb0dc2197a54ee2e31f0dbdb

  • SHA512

    9e478196cf230ce41982014206bd5c683814620a2b60560e5b4354f818c6842163fc33fb5cdbb1bbae602078f6d6ca2a6bd75ec50adb39049ba38e4fd90a3e9c

  • SSDEEP

    6144:6Iz9zjvM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:6INs2B+64kQHam2dNREz9FdOZMJwGuEu

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:12044

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    |Ghost|

Targets

    • Target

      elol.exe

    • Size

      214KB

    • MD5

      faba0d141987f243c5996bacbde9c24a

    • SHA1

      5059d4e64df99075da4b0dd75290ae0d504ef2d6

    • SHA256

      5dae1887c9219823ef4465936e5b45137132eb48fb0dc2197a54ee2e31f0dbdb

    • SHA512

      9e478196cf230ce41982014206bd5c683814620a2b60560e5b4354f818c6842163fc33fb5cdbb1bbae602078f6d6ca2a6bd75ec50adb39049ba38e4fd90a3e9c

    • SSDEEP

      6144:6Iz9zjvM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:6INs2B+64kQHam2dNREz9FdOZMJwGuEu

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks