Overview

overview

10

Static

static

7

7be930f38a...KI.exe

windows7-x64

10

7be930f38a...KI.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7be930f38a9e53a54cacc4a82173fa10_NEIKI

  • Size

    5.1MB

  • Sample

    240508-atkv5abf62

  • MD5

    7be930f38a9e53a54cacc4a82173fa10

  • SHA1

    cd546cf2788fb107ad8557e6f4b568d7ff46410e

  • SHA256

    27df2c1ab70647bd678c81aa8f8cfba74917f717716d8bd62831265a6bd9a938

  • SHA512

    50f2be660b56503a5d68683eb0bf78ff5d0886d453a9f9b24e31ac75f866f18a672c87a009adee4546562f4174d92fba2f0f523d5f256e6c9c69220485bd94b2

  • SSDEEP

    98304:04w1yBjOwo8WzLwt5yxPnvcTtLRTQLE1wJjG3qnHhuIBqg/QkqXbN/npbiPHsU63:06dOwonseP+Y5G/IBqcWB/4PH0VpMYZv

Score
10/10
njrathackedagilenetevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

asthbalhacker.ddns.net:5552

Mutex

78d02b5c475533ad161aec928d88af66

Attributes
  • reg_key

    78d02b5c475533ad161aec928d88af66

  • splitter

    |'|'|

Targets

    • Target

      7be930f38a9e53a54cacc4a82173fa10_NEIKI

    • Size

      5.1MB

    • MD5

      7be930f38a9e53a54cacc4a82173fa10

    • SHA1

      cd546cf2788fb107ad8557e6f4b568d7ff46410e

    • SHA256

      27df2c1ab70647bd678c81aa8f8cfba74917f717716d8bd62831265a6bd9a938

    • SHA512

      50f2be660b56503a5d68683eb0bf78ff5d0886d453a9f9b24e31ac75f866f18a672c87a009adee4546562f4174d92fba2f0f523d5f256e6c9c69220485bd94b2

    • SSDEEP

      98304:04w1yBjOwo8WzLwt5yxPnvcTtLRTQLE1wJjG3qnHhuIBqg/QkqXbN/npbiPHsU63:06dOwonseP+Y5G/IBqcWB/4PH0VpMYZv

    Score
    10/10
    njrathackedagilenetevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks