Overview

overview

10

Static

static

7

r-aimbot.exe

windows10-2004-x64

10

r-aimbot.exe

windows11-21h2-x64

10

fuck.exe

windows10-2004-x64

10

fuck.exe

windows11-21h2-x64

10

r-aimbot.exe

windows10-2004-x64

8

r-aimbot.exe

windows11-21h2-x64

8

WindowsApp...n4.exe

windows10-2004-x64

8

WindowsApp...n4.exe

windows11-21h2-x64

8

r-aimbot.exe

windows10-2004-x64

7

r-aimbot.exe

windows11-21h2-x64

7

Sharing

Copy URL Twitter E-mail

General

  • Target

    r-aimbot.exe

  • Size

    1.3MB

  • Sample

    240515-w37bdade4x

  • MD5

    85efcbade32807af41583a1ef178ed74

  • SHA1

    cba6087e38ab2e50928fc6705355e3ef2665a683

  • SHA256

    d612d8a9e612be6bd433cec7b09e302ed98eaf472be7047c4cc7e98bfbe0d944

  • SHA512

    022c81ec4daffd2e4b449c1cc8e85e454c074925b8e03f60adb40c5b9f2d5a97c1188351dda43fb811ff0a5c483a221f05f124c432233d69ed315d15a19561e5

  • SSDEEP

    24576:e4rl9vd2hXYVHGQjV6+S9YKogmHcuwiqnw+MCL674hUhABZP3vWjAFPDTNJ:rl0QHGAq9YKJmH4pM6hdBJ3vWjAFPDBJ

Score
10/10
njratsteamgift__evasionpersistencetrojanupx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

SteamGift__

C2

masterlaith.publicvm.com:5552

Mutex

88a41d3535aad80a532ad2e6fa138beb

Attributes
  • reg_key

    88a41d3535aad80a532ad2e6fa138beb

  • splitter

    |'|'|

Targets

    • Target

      r-aimbot.exe

    • Size

      1.3MB

    • MD5

      85efcbade32807af41583a1ef178ed74

    • SHA1

      cba6087e38ab2e50928fc6705355e3ef2665a683

    • SHA256

      d612d8a9e612be6bd433cec7b09e302ed98eaf472be7047c4cc7e98bfbe0d944

    • SHA512

      022c81ec4daffd2e4b449c1cc8e85e454c074925b8e03f60adb40c5b9f2d5a97c1188351dda43fb811ff0a5c483a221f05f124c432233d69ed315d15a19561e5

    • SSDEEP

      24576:e4rl9vd2hXYVHGQjV6+S9YKogmHcuwiqnw+MCL674hUhABZP3vWjAFPDTNJ:rl0QHGAq9YKJmH4pM6hdBJ3vWjAFPDBJ

    Score
    10/10
    njratsteamgift__evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      fuck.exe

    • Size

      1.1MB

    • MD5

      3ee6841e13ab3b14fb292f316d978b63

    • SHA1

      a1350928f6a12013e087f8c3bf6ff19418f4de85

    • SHA256

      da70a8f8696cd01ffa41596ed6c8ad6f880db3fc79a2955cb93ce9eec81059d9

    • SHA512

      64ba822ac323ccbb4fd8d1d7ce67607086b2d6dd60f7699c260570ba7517329fba73389a2b6fada33da1b33d9f323d5c5b063652973f806b49ccfdbda54787ca

    • SSDEEP

      24576:1CXYdVWtQjz9+S+YK/gm8iuViqJzJJZW6V4WdhrBWPsvj:LPWtAd+YK4m8rDJ+WbBEsvj

    Score
    10/10
    njratsteamgift__evasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral3behavioral4

    • Target

      r-aimbot.exe

    • Size

      304KB

    • MD5

      1b15246eba422c272c4622e4eef21905

    • SHA1

      a14275ce8215f7938e4caf0b29051e0c06c87a90

    • SHA256

      feb0426e4c0d98e8fedc2be59935018fb711a47abb2973f3344a0e4ddb95d598

    • SHA512

      94317cba766149b1ff3ac36013bba19c196a17b70da8fdab82dc6f2c9882ad10fa17b13bc4a779ab6a9ba02b7401d5fc6f32fd44d3ebebddfc5abf1b8efadbd4

    • SSDEEP

      6144:knx1x2Dfvek42txA8+/nvGFm+ltYkTflDuONxDpHlGcUrjtxxEK:e4O/kx78nvGFm+jP9DusDpHlGcA

    Score
    8/10
    evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      WindowsApplication4.exe

    • Size

      382KB

    • MD5

      066cc745306b01afad0a7b776f0a4f6c

    • SHA1

      a93e5693beb28eec8528cc22e89f0d2d31c19323

    • SHA256

      1948a2375fad11060d110eb5b45b26f37fd7c34918e8c1c39eb2d963b341a3f7

    • SHA512

      817714779ab779409b8fc3465ac2f83d9b488d18b8f0c66dd14131139cd58176fbc8478230594249f5a1b6a7fb60e1de66bffb0e9eb64b11e87689513c4ea766

    • SSDEEP

      6144:xFHPVCtBi7NYHaAVFm+ltY7TflDuOSxDUHlGcUEf8QAVZHsZ66zEQ:f8tBIfAVFm+jK9DuJDUHlGcFffAVZHs/

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      r-aimbot.exe

    • Size

      5KB

    • MD5

      474ef2b507f2828faf212417ebb84eee

    • SHA1

      de97020b7be94f5b78dbd105c9580c12d7faa705

    • SHA256

      7fc254954bcc79de826439460697c10e392861bd22df5c6b9a26b6a6b5558b9f

    • SHA512

      decbc46d8de10eae11a9a2cb2460cfe47e04d283b69919a8b25dc3c1ba75e204c180942534ade61e9e2a3f7c37c94ec556b3b793fab0e86a2e48627a7f9b957c

    • SSDEEP

      96:rp0ILOQhuiv6ZXfAoXOtCrZQ9uARO+UtDmVthcX:rjL7hVgXfAlCrZQ9uSOjtAC

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks