Overview

overview

10

Static

static

7

derka.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    derka.exe

  • Size

    445KB

  • Sample

    240725-l9zj1awarf

  • MD5

    0fafabbbe5a6a1dae88df02e453ac23b

  • SHA1

    2e0118d3f51c320d759006ef80f2aecd4f9184ab

  • SHA256

    8fb481dadb1d763ba6e666ea1f5d89bc66e23a09e8e1c8705dc6c2f8ae891ee9

  • SHA512

    27b35c404f8e9f2beedce1af87d5e8c2cad3bf248c604082f263ed14512ece1fa978e89e9582bc1ad29fa4c17cefb65997b448f73c763ac2184ac123465f8213

  • SSDEEP

    12288:nOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPijggFE:nq5TfcdHj4fmbqFE

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

insurance-helmet.gl.at.ply.gg:31388

Mutex

82104ae3464ef515625a324e803cdcd6

Attributes
  • reg_key

    82104ae3464ef515625a324e803cdcd6

  • splitter

    |'|'|

Targets

    • Target

      derka.exe

    • Size

      445KB

    • MD5

      0fafabbbe5a6a1dae88df02e453ac23b

    • SHA1

      2e0118d3f51c320d759006ef80f2aecd4f9184ab

    • SHA256

      8fb481dadb1d763ba6e666ea1f5d89bc66e23a09e8e1c8705dc6c2f8ae891ee9

    • SHA512

      27b35c404f8e9f2beedce1af87d5e8c2cad3bf248c604082f263ed14512ece1fa978e89e9582bc1ad29fa4c17cefb65997b448f73c763ac2184ac123465f8213

    • SSDEEP

      12288:nOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPijggFE:nq5TfcdHj4fmbqFE

    Score
    10/10
    njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojanupx

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks