Resubmissions

22-05-2024 07:50

240522-jpeb8agg24 10

22-05-2024 07:46

240522-jlztragf56 10

General

  • Target

    Valkyria.exe

  • Size

    8.2MB

  • Sample

    240522-jpeb8agg24

  • MD5

    1626922cadeeedea404cadfe628d7e16

  • SHA1

    9323dbefdd49c84ae79e188b79bac5cee2ab6a6e

  • SHA256

    202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49

  • SHA512

    80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0

  • SSDEEP

    196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SvHost

C2

hakim32.ddns.net:2000

rates-alfred.gl.at.ply.gg:39912

Mutex

07fe81bb92603a7ba50e57049dc09693

Attributes
  • reg_key

    07fe81bb92603a7ba50e57049dc09693

  • splitter

    |'|'|

Extracted

Family

blackguard

C2

https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928

Targets

    • Target

      Valkyria.exe

    • Size

      8.2MB

    • MD5

      1626922cadeeedea404cadfe628d7e16

    • SHA1

      9323dbefdd49c84ae79e188b79bac5cee2ab6a6e

    • SHA256

      202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49

    • SHA512

      80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0

    • SSDEEP

      196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN

    • BlackGuard

      Infostealer first seen in Late 2021.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks