Resubmissions

14-10-2024 14:49

241014-r67zvsvaqq 10

16-08-2024 15:07

240816-sheh3svenq 10

16-08-2024 14:46

240816-r5jkwazgpa 10

General

  • Target

    GangBeasts.exe

  • Size

    7.6MB

  • Sample

    240816-r5jkwazgpa

  • MD5

    25ca0c07fa5e3b2fc1a30e5419a13c17

  • SHA1

    0231b575d2f96de4a9f510b081e5f519c5bafabd

  • SHA256

    a5ef976d928a096d7e298343b16ba54632411dc7fcb97f93e229ea24702578db

  • SHA512

    d7d87ab9dd41c97289f94dfeb6141972c101942a0a466c5f1eda581b5ef81c5c9666bbd518bcb6db80d5ccbbc03db27c55a53cd1fd10845d89d49391d9bf91ab

  • SSDEEP

    196608:n0+R+YMhI/tizvNSE28tpobqjglbxvb65j0iQtgcN+QiP1eggYej0WALg:n0+R+YMhI/tizvN88tpo28lFvWp0i2Zv

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

kosomk 555

C2

dovelabobzgnan.ddns.net:5552

Mutex

a8c0d4cf5cfc2cc1149b5e071c2ab5df

Attributes
  • reg_key

    a8c0d4cf5cfc2cc1149b5e071c2ab5df

  • splitter

    |'|'|

Targets

    • Target

      GangBeasts.exe

    • Size

      7.6MB

    • MD5

      25ca0c07fa5e3b2fc1a30e5419a13c17

    • SHA1

      0231b575d2f96de4a9f510b081e5f519c5bafabd

    • SHA256

      a5ef976d928a096d7e298343b16ba54632411dc7fcb97f93e229ea24702578db

    • SHA512

      d7d87ab9dd41c97289f94dfeb6141972c101942a0a466c5f1eda581b5ef81c5c9666bbd518bcb6db80d5ccbbc03db27c55a53cd1fd10845d89d49391d9bf91ab

    • SSDEEP

      196608:n0+R+YMhI/tizvNSE28tpobqjglbxvb65j0iQtgcN+QiP1eggYej0WALg:n0+R+YMhI/tizvN88tpo28lFvWp0i2Zv

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Target

      Built.exe

    • Size

      7.4MB

    • MD5

      5531aaf254a3ef858aa2808a87e6c3c0

    • SHA1

      18a8a22cfa4f987dddef5ce39b2a6118ec32a196

    • SHA256

      45567c82cc7277f5aa2cb693f6abfa0c0b91d2a472e91fe0643e17dab855d3a8

    • SHA512

      2e880257c6da44836a19b2d8f7a47ea1d21d94b50eb61543f5b9478e274343d7367ccd3c62c645861c03089550c85fdd92df61dd94bd79381757521a9ea45d68

    • SSDEEP

      196608:Q48PIdLjv+bhqNVoB0SEsucQZ41JBbIM11tR:z8PIlL+9qz80SJHQK1Jx1vR

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Target

      Gang Beasts.exe

    • Size

      638KB

    • MD5

      23d2ae54e204abdee7c3477a0eeaa93f

    • SHA1

      99148c265a4b419855e4720ac802483b12568227

    • SHA256

      621740b8a66c1b2432354dfbe2963c88902bca33d871ec919ad56470aff55d19

    • SHA512

      d870ce4d6746675ef804a4a42177f664b54991ba6ea2c4ec751285d5a2b83479ed3f1c674913e8ff6f37099fa2c393848a878689dc25f333b2d27f2cc70c5568

    • SSDEEP

      6144:rEbaWnBUCG6WlhZYFg26spvzxA3ixGkNru:roCC9WlhZYG26cvzx9Fu

    Score
    1/10
    • Target

      kosomk.exe

    • Size

      23KB

    • MD5

      926e2c78bcea51e5309db037b18b4202

    • SHA1

      d4b80f95bfdc9c2ff860ac0cc2012a81b425801d

    • SHA256

      1d74f423f423175189fbe07b34697cae04d6d48181efbed5c3b790a137145f10

    • SHA512

      6962876b91bcf7d40d9250dde094ce560f3b3c7a4766ac5e810d27de46cd4167937042d5ae94b21f21a1b19dc4c39dc0107e2aac1fbcd17680345f2fe06354a1

    • SSDEEP

      384:Ac6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZ0k:/IU0tw3RpcnuK

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks