Overview

overview

10

Static

static

10

502869ac18...11.exe

windows7-x64

10

502869ac18...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8949112a3e17e2dc4a24947efa28f504ec45d34408c42b545a85d07f54effea1

  • Size

    16KB

  • Sample

    240419-t9hv9ahe79

  • MD5

    93ad84110f7464cb4585c49e960afb46

  • SHA1

    7e7dcd93ef494cbb46c1213a2c8fc0026f8c72a9

  • SHA256

    8949112a3e17e2dc4a24947efa28f504ec45d34408c42b545a85d07f54effea1

  • SHA512

    6f6b0f9ed9776a834b084f32056174352eba55bf8a511b94a3d3064980663fee4e651164f65cd16a11a70739c93bc2c1923a2350e8185610f74998d5711e02ac

  • SSDEEP

    384:IMf7DqJOwbwEjY7omqVSEMXY6XmaGzZb04YYUgsr5T/:Ff7DqJOwE0JVSEMo9aGh04YfP5z

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

0.tcp.eu.ngrok.io:15184

Mutex

c502ee9893aaa40a8d929234e5c9b5c8

Attributes
  • reg_key

    c502ee9893aaa40a8d929234e5c9b5c8

  • splitter

    |'|'|

Targets

    • Target

      502869ac1880a412f2a5d8dae93b506d98acb48f10cdb32bcdc3517fc9721711.exe

    • Size

      37KB

    • MD5

      bae07bd6859074bae50dbebfbde6807f

    • SHA1

      072942a2f73e4f7f83d5559499f4c7c22136f559

    • SHA256

      502869ac1880a412f2a5d8dae93b506d98acb48f10cdb32bcdc3517fc9721711

    • SHA512

      724689e8a1d9915a970c751c98ce45fca0d945a6a4328aee388ffcdb8076307a438f4196c0016bf052306ecd70453ec19db2788873d23f17e876d7bf09337e30

    • SSDEEP

      384:nOick7sgwi+tx3+j/NSyszg8QPBI3mmTlrAF+rMRTyN/0L+EcoinblneHQM3epzt:O5kQLCNhszg8QeWmBrM+rMRa8NuN3t

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks