Overview

overview

10

Static

static

10

fetg.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fetg.exe

  • Size

    37KB

  • Sample

    240413-zn13lahg27

  • MD5

    ae4e4403a38930cfb2162c624e8b38d2

  • SHA1

    b9cedecd6d6b365d785b1da0543b3957461d19d4

  • SHA256

    f96909c54e460ec8c89fc3b8a160d523d27089844fa8bbfffa2c99eef188cee3

  • SHA512

    c73fa77c3cf00808633a7a52a8db3b137e15ad4ae97912caced69287ca34debfb79516218a17b287d5234969b2ca11d11f3775ea427b3799de808ef8dd56f1cf

  • SSDEEP

    384:zaqIiuVjtD+P3V+y0bf2TKtvN4suKfYrAF+rMRTyN/0L+EcoinblneHQM3epzXdk:ONmV10bf2TKtClKQrM+rMRa8Nuyvt

Score
10/10
njrathackedevasionspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

tcp.eu.ngrok.io:15640

Mutex

cbe1352502f3ef3b65e89dcbf4c51389

Attributes
  • reg_key

    cbe1352502f3ef3b65e89dcbf4c51389

  • splitter

    |'|'|

Targets

    • Target

      fetg.exe

    • Size

      37KB

    • MD5

      ae4e4403a38930cfb2162c624e8b38d2

    • SHA1

      b9cedecd6d6b365d785b1da0543b3957461d19d4

    • SHA256

      f96909c54e460ec8c89fc3b8a160d523d27089844fa8bbfffa2c99eef188cee3

    • SHA512

      c73fa77c3cf00808633a7a52a8db3b137e15ad4ae97912caced69287ca34debfb79516218a17b287d5234969b2ca11d11f3775ea427b3799de808ef8dd56f1cf

    • SSDEEP

      384:zaqIiuVjtD+P3V+y0bf2TKtvN4suKfYrAF+rMRTyN/0L+EcoinblneHQM3epzXdk:ONmV10bf2TKtClKQrM+rMRa8Nuyvt

    Score
    10/10
    njrathackedevasionspywarestealertrojanupx

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Scripting

1
T1064

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks