General
-
Target
Cracked_wave.exe
-
Size
26.0MB
-
Sample
240726-xsp5saydnr
-
MD5
9330b25f7ac3eb34a5f5b8f724e9cda1
-
SHA1
29853b957e4b073f83f25fc7b333a4fc262792e3
-
SHA256
b4dbcee5210537d5ec0a232990fccb8018bf898c88636849e6fc4bb38de62436
-
SHA512
c3fdf6114fc370d8db27091f1e4b3e19fc123e05bbba3b1f96c748d25bacccb8b32f2da9a96141a7b6af524a66fda67658aab5aa75f93fdb29031a43bc7a885d
-
SSDEEP
786432:B7zjkRQo93SGLxRIHn6MX52t7wQepJ1kNXXjh:WmsD1M6O52tRev1k1Th
Malware Config
Extracted
njrat
im523
HacKed
20.ip.gl.ply.gg:55257
319c1637f1925d788496e1f3109ae4f7
-
reg_key
319c1637f1925d788496e1f3109ae4f7
-
splitter
|'|'|
Targets
-
-
Target
Cracked_wave.exe
-
Size
26.0MB
-
MD5
9330b25f7ac3eb34a5f5b8f724e9cda1
-
SHA1
29853b957e4b073f83f25fc7b333a4fc262792e3
-
SHA256
b4dbcee5210537d5ec0a232990fccb8018bf898c88636849e6fc4bb38de62436
-
SHA512
c3fdf6114fc370d8db27091f1e4b3e19fc123e05bbba3b1f96c748d25bacccb8b32f2da9a96141a7b6af524a66fda67658aab5aa75f93fdb29031a43bc7a885d
-
SSDEEP
786432:B7zjkRQo93SGLxRIHn6MX52t7wQepJ1kNXXjh:WmsD1M6O52tRev1k1Th
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3