Overview

overview

10

Static

static

10

6339af085c...0f.exe

windows7-x64

10

6339af085c...0f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    682061b30d5c929bd31e5d23a1a736ead65f124d16732f4e3de2ea973daf0f66

  • Size

    16KB

  • Sample

    240419-v8nksaah77

  • MD5

    c7bcc707254a6b8ba96251df125d90df

  • SHA1

    a5fb15679cf07b7f7a0d1f4355e256183548d7fe

  • SHA256

    682061b30d5c929bd31e5d23a1a736ead65f124d16732f4e3de2ea973daf0f66

  • SHA512

    d49e43998fad1fc15c35cab164a5b877230285aec3e930e729945c42bff545c75d953ce560ef3fdd17f47cb614af4d5c847b4cf9d77e09d8642088503f340e83

  • SSDEEP

    384:jTjUP8Cab0Mbvd4RLMdHLHGXj/4g7Eb64rFHf3tm67QC+p47s:HHJbvWV8rH454b6kpdmW7yt

Score
10/10
njratmaxevasiontrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

MAX

C2

0.tcp.eu.ngrok.io:13241

Mutex

0557bafb14c73fcc927e4c1c97522cd6

Attributes
  • reg_key

    0557bafb14c73fcc927e4c1c97522cd6

  • splitter

    |'|'|

Targets

    • Target

      6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe

    • Size

      37KB

    • MD5

      a78337c1b891d73341d4012dc77fbea1

    • SHA1

      e80f17b9e3650d9461234efe9cbca0cd96b0b0fb

    • SHA256

      6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f

    • SHA512

      7c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73

    • SSDEEP

      384:q2aIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXKL:TFmV10b3+LCtCViVrM+rMRa8NuzWt

    Score
    10/10
    njratmaxevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks