Overview

overview

10

Static

static

10

8d1bfbe0d3...5f.exe

windows7-x64

10

8d1bfbe0d3...5f.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    32e6b362127592ee9e49750e252cb6b3df75c499cefb2045ae05b7f2e76db2e2

  • Size

    16KB

  • Sample

    240419-txzm8sha86

  • MD5

    4bdccbe4a2885528550e069a0920d91a

  • SHA1

    998c72d4573528a261dac8cb747c378c630951e7

  • SHA256

    32e6b362127592ee9e49750e252cb6b3df75c499cefb2045ae05b7f2e76db2e2

  • SHA512

    448226f1e21f3d28ef09679f257377bbf37eeb330c39753a45945df866efcb44417684f4af4f559598cb8b18fe38d0f5a2f2d772f03078b57ae92160b77c13d8

  • SSDEEP

    384:RE4xIYacHy5VhucazvxtntrlSfq670tmzDa8wj6n:exwH+V0caztKh1kjy

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:19483

Mutex

68d7771434a71722449c404baa3e5b31

Attributes
  • reg_key

    68d7771434a71722449c404baa3e5b31

  • splitter

    |'|'|

Targets

    • Target

      8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe

    • Size

      37KB

    • MD5

      b7dd9dd7470af783d5d955b455d58cac

    • SHA1

      bbd0c1d74c948e95f5f007102fbabcf3867a2625

    • SHA256

      8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f

    • SHA512

      af2cec43ea98a7e2c139c1433c4dbcf35ddebc3f70aa8520f64c7096a6f6844f8021cbd22fa4bf46ae4961be1972ca45407b15c1596770fad5cb41c5860fb512

    • SSDEEP

      384:zLe2KMizd9jnBhFbJ8ycPVnvvnwaUBTrAF+rMRTyN/0L+EcoinblneHQM3epzXQD:W2g9lLJfcPVn3VU9rM+rMRa8Nu2Bt

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks