Overview

overview

10

Static

static

10

2240-14-0x...ry.exe

windows7-x64

10

2240-14-0x...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2240-14-0x00000000011E0000-0x0000000001554000-memory.dmp

  • Size

    3.5MB

  • Sample

    240223-zfx1zahf7s

  • MD5

    5cec3c77e1e2d229f3d68e7776ab8a42

  • SHA1

    6c3d0a5237bbb39aaa4ba58107b41dfd02d88162

  • SHA256

    c9a5a7c6cd4af76f88d11c806f0a7d5187c8f36a0861c504fd7cf196d64140c4

  • SHA512

    77c20acf632812e37cb38bfc7a7d55ec6c54461e13b7247be7e1dd02c818dbe24814fd182e4492b2f01e894d28358decbdf20b121acfac673bc3a6bc3da3ca81

  • SSDEEP

    49152:9HV55beOVyvjpm/bYT4Ir5bxyhkdyIHMb4NnlgiTJUvb5i0x3T:9D5SOCEZIBxyKsbslgaJybB

Score
10/10
njrat2evasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

2

C2

than-electoral.gl.at.ply.gg:36364

Mutex

0c8d792f9c21b154330684f6c50ab800

Attributes
  • reg_key

    0c8d792f9c21b154330684f6c50ab800

  • splitter

    |'|'|

Targets

    • Target

      2240-14-0x00000000011E0000-0x0000000001554000-memory.dmp

    • Size

      3.5MB

    • MD5

      5cec3c77e1e2d229f3d68e7776ab8a42

    • SHA1

      6c3d0a5237bbb39aaa4ba58107b41dfd02d88162

    • SHA256

      c9a5a7c6cd4af76f88d11c806f0a7d5187c8f36a0861c504fd7cf196d64140c4

    • SHA512

      77c20acf632812e37cb38bfc7a7d55ec6c54461e13b7247be7e1dd02c818dbe24814fd182e4492b2f01e894d28358decbdf20b121acfac673bc3a6bc3da3ca81

    • SSDEEP

      49152:9HV55beOVyvjpm/bYT4Ir5bxyhkdyIHMb4NnlgiTJUvb5i0x3T:9D5SOCEZIBxyKsbslgaJybB

    Score
    10/10
    njrat2evasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks