Overview

overview

10

Static

static

10

3fa1b0d5ab...e9.exe

windows7-x64

10

3fa1b0d5ab...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0495b38b0984c3f2d636b94e21cc852472f2fe846abb0f059deefcba959d6f4a

  • Size

    16KB

  • Sample

    240419-varjsaae5y

  • MD5

    6239d719b1ddfa2d8405648abbbad046

  • SHA1

    3b63a0924f73a0f151840f0032804f78cbc3e483

  • SHA256

    0495b38b0984c3f2d636b94e21cc852472f2fe846abb0f059deefcba959d6f4a

  • SHA512

    3cb992bc57346dfa3f5050643c3964107be0a99951b5d8c3f46b3e84b37ba2eda08eb7c488ece6c739045ff560c0104bd469a50bb0a730103759fffc2c333d5b

  • SSDEEP

    384:Ed5432gD8TKr2dxAC0yPr5sBn5h5NqOopl8CgJgwVtFy5gxZ:E7Q2gD88YnG5PeOIl8Cp2Fy5gxZ

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

6.tcp.eu.ngrok.io:12041

Mutex

7891fdab3e9ec8884436ba440a809c8a

Attributes
  • reg_key

    7891fdab3e9ec8884436ba440a809c8a

  • splitter

    |'|'|

Targets

    • Target

      3fa1b0d5ab8cc2b3435718e8b625e63e651a6d3df4d7657dc8c3859caeb5b4e9.exe

    • Size

      37KB

    • MD5

      1d641a341df0631bf135f5767440df01

    • SHA1

      2e76be5d5a7f0bae3657a649eb60f47c4fbde3cf

    • SHA256

      3fa1b0d5ab8cc2b3435718e8b625e63e651a6d3df4d7657dc8c3859caeb5b4e9

    • SHA512

      08d78d42b96734006bf0986dd666d0c5a15e2ec4c13817e82f3fe6af55cede59f3685466a2b004ad765fe291b360625490c17e97fa89ef0965b09e7a448ce853

    • SSDEEP

      384:KstKUiDtblmJEpRGyEf7JfJuQCY6iX1rAF+rMRTyN/0L+EcoinblneHQM3epzXk/:dtiHpR9Ef7JsQCFilrM+rMRa8Nuelt

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks