Overview

overview

10

Static

static

10

d812b05b85...c8.exe

windows7-x64

10

d812b05b85...c8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8363cb13ab33693e3becb25d2ba06908b5071921e4d2bfbec410c38f593267b3

  • Size

    16KB

  • Sample

    240419-vas3lshf46

  • MD5

    e2e524c7032f95f70c527e4ab4754272

  • SHA1

    17bac8b4840cda0e835a12f2b3164858bec98942

  • SHA256

    8363cb13ab33693e3becb25d2ba06908b5071921e4d2bfbec410c38f593267b3

  • SHA512

    acc92d7b5170569a0d6111a49813b8ce2f8f09592002f39959665602e444b1cd3ad43956a49f88c22c869197891487d8243fb926ad08faef2c7ce3adde11bcc6

  • SSDEEP

    384:BUdzhpd8WjQy2pShP7B+JEtPxMRC0qauC/+X5f:ipd8WjQy2pSJDx6RQ3CWXt

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:18227

Mutex

fa8cebf4f3fd11252bf351a94ee5fa4a

Attributes
  • reg_key

    fa8cebf4f3fd11252bf351a94ee5fa4a

  • splitter

    |'|'|

Targets

    • Target

      d812b05b85a25ab0ec4258f8a4e9adda4a84d2df5b07fed42b84de539dfcabc8.exe

    • Size

      37KB

    • MD5

      0a7d2bbbe2960ff24b9273036fc472da

    • SHA1

      3b0fbb910651427a6a103327a0630e96acb8649c

    • SHA256

      d812b05b85a25ab0ec4258f8a4e9adda4a84d2df5b07fed42b84de539dfcabc8

    • SHA512

      8266b81b3d24b0650465d35a5cf83ea4339f7cf417a78e4a5bd8eb5d111bd90eeb1c672dbe7a2c6f772849aecf13c6fe62488958cd27986727cd723d154dd62f

    • SSDEEP

      384:jstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzX48:YtiHpR9Ef7JsQCFiArM+rMRa8NuqUt

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks