njrat | a137aa68c256f14ab43900828fe890561a893d64fdc4cf7c82ad73e31d3f6d10 | Triage

Submit
Reports

Overview

overview

Static

static

virus.exe

windows10-2004-x64

8

Sharing

General

Target

virus.exe
Size

37KB
Sample

240420-te21mscc22
MD5

fa6f3f80eb4e48037e6b17b58a29ec1a
SHA1

67afa313184f283e2b2e352c5c06bbe087c1db5c
SHA256

a137aa68c256f14ab43900828fe890561a893d64fdc4cf7c82ad73e31d3f6d10
SHA512

7222b8f428aac84b9eb5794776f7f3c0d0aa1d9fec59392f1e9dff7643c1f8f9b4f0e307915dc445970ca002f48cfa9b2c7f3a05db6fe91839b888632be12d8c
SSDEEP

384:IRmjKicg+jn5xL5oyUi8ithMjnP9KYC2DhrAF+rMRTyN/0L+EcoinblneHQM3ept:GmIf5DUi8GMjng12lrM+rMRa8NuDdt

Score

10^/10

njrat bezmamniy evasion persistence

Static task

static1

bezmamniy njrat

2 signatures

Behavioral task

behavioral1

Sample

virus.exe

Resource

win10v2004-20240412-en

evasion persistence

windows10-2004-x64

26 signatures

1800 seconds

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Bezmamniy

C2

basic-values.gl.at.ply.gg:58503

Mutex

4b6699ab871e1185d9ebf603d91d567c

Attributes

reg_key
4b6699ab871e1185d9ebf603d91d567c
splitter
|'|'|

Targets

- Target
  
  virus.exe
- Size
  
  37KB
- MD5
  
  fa6f3f80eb4e48037e6b17b58a29ec1a
- SHA1
  
  67afa313184f283e2b2e352c5c06bbe087c1db5c
- SHA256
  
  a137aa68c256f14ab43900828fe890561a893d64fdc4cf7c82ad73e31d3f6d10
- SHA512
  
  7222b8f428aac84b9eb5794776f7f3c0d0aa1d9fec59392f1e9dff7643c1f8f9b4f0e307915dc445970ca002f48cfa9b2c7f3a05db6fe91839b888632be12d8c
- SSDEEP
  
  384:IRmjKicg+jn5xL5oyUi8ithMjnP9KYC2DhrAF+rMRTyN/0L+EcoinblneHQM3ept:GmIf5DUi8GMjng12lrM+rMRa8NuDdt
Score

8^/10

evasion persistence
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

evasionpersistence

© 2018-2024

Terms | Privacy