Overview

overview

10

Static

static

10

Systeminte...t).exe

windows7-x64

Systeminte...t).exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Systeminteracts (32 bit).exe

  • Size

    37KB

  • Sample

    240726-hgw2masbrm

  • MD5

    fb3f9f675ace4b0e2e3938b40b4a016e

  • SHA1

    e45bd61c9830bbdaa413f1e5addf2e05c9ccfd6e

  • SHA256

    d2673072e29073998e65da0023a0f4f6d96493ecdfbfee84b044b1947eef11d5

  • SHA512

    ebd2ff3940962155c9ee78dced5a2a2967f81084707e111a47af7fc60109996f4c87ab962c3deac1336464677b99cb48ea3ef76315cedcfd68232678439505f9

  • SSDEEP

    384:ISAjrUiS6L1G5k2gyk/8If5e/QUZSiKrAF+rMRTyN/0L+EcoinblneHQM3epzXr6:sjz32bk/8IQYUZStrM+rMRa8Nutqt

Score
10/10
njrathackedcredential_accessdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

20.ip.gl.ply.gg:55257

Mutex

319c1637f1925d788496e1f3109ae4f7

Attributes
  • reg_key

    319c1637f1925d788496e1f3109ae4f7

  • splitter

    |'|'|

Targets

    • Target

      Systeminteracts (32 bit).exe

    • Size

      37KB

    • MD5

      fb3f9f675ace4b0e2e3938b40b4a016e

    • SHA1

      e45bd61c9830bbdaa413f1e5addf2e05c9ccfd6e

    • SHA256

      d2673072e29073998e65da0023a0f4f6d96493ecdfbfee84b044b1947eef11d5

    • SHA512

      ebd2ff3940962155c9ee78dced5a2a2967f81084707e111a47af7fc60109996f4c87ab962c3deac1336464677b99cb48ea3ef76315cedcfd68232678439505f9

    • SSDEEP

      384:ISAjrUiS6L1G5k2gyk/8If5e/QUZSiKrAF+rMRTyN/0L+EcoinblneHQM3epzXr6:sjz32bk/8IQYUZStrM+rMRa8Nutqt

    Score
    10/10
    njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojancredential_accessspywarestealerupx

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks