Resubmissions

15-09-2024 22:00

240915-1wpj7svapc 10

15-09-2024 21:56

240915-1tbwbsthne 10

20-08-2024 13:49

240820-q4v2vayfmp 10

General

  • Target

    Bazaar.2020.02.7z

  • Size

    6.3MB

  • Sample

    240915-1tbwbsthne

  • MD5

    a2fc1e0d85da197a26203e22bdd1b5a2

  • SHA1

    4c2f2158f440347a0f722cd81eb806e28481b868

  • SHA256

    7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

  • SHA512

    6781742683061f15e74d6a62b16102dde83cafe1aa6f349e1ecec305dd3a72ea043709a19ec435a749e506efb4d93e82ea5ee620bfe60024a5782550eb7f8745

  • SSDEEP

    196608:d98omomtNNy/aJF3Jf7KQrNIdaBtlCJNfx2944bl465o:d98omvMKZmQagtU0N465o

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Low3n

C2

192.168.100.58:443

192.168.42.7:443

Mutex

e4c7f2e5b82fac0d624ab661f39b28fa

Attributes
  • reg_key

    e4c7f2e5b82fac0d624ab661f39b28fa

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1177

104.238.137.213:5552

192.168.89.1:1177

192.168.1.5:666

myhotkkk444.duckdns.org:4444

JohnRicardomilos-33746.portmap.io:1605

127.0.0.1:5552

192.168.56.1:5552

shytanoff.ddns.net:1177

127.0.0.1:2020

192.168.0.27:4444

shytangz12.ddns.net:1177

dalpzy.ddns.net:1085

updatesystemtool.ddns.net:1337

jhonjhon4842.ddns.net:1177

192.168.1.16:5552

fidapeste.duckdns.org:5552

harris974.ddns.net:4444

127.0.0.1:4789

bo6y1.hopto.org:1609

Mutex

aeeb7a2903c8c537463f288bcc5eed2e

Attributes
  • reg_key

    aeeb7a2903c8c537463f288bcc5eed2e

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

127.0.0.1:9040

bomi.duckdns.org:8080

192.168.1.7:8080

jhonjhon4842.ddns.net:6606

jhonjhon4842.ddns.net:3389

denemeiso1.duckdns.org:5060

sam144169-56334.portmap.io:56334

sam144169-56334.portmap.io:5552

sam144169-56334.portmap.io:5050

webforma.chickenkiller.com:56334

webforma.chickenkiller.com:5552

webforma.chickenkiller.com:5050

webdata.ddns.net:56334

webdata.ddns.net:5552

webdata.ddns.net:5050

62.108.37.42:8808

noregisterdomain.zapto.org:9040

82.84.85.59:1608

number2.duckdns.org:6606

number2.duckdns.org:7707

Mutex

ertretythhrrthttrhth

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

darkcomet

Botnet

hacked

C2

sexystar.myq-see.com:5552

Mutex

DC_MUTEX-6BSXQXU

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    1JlJEAuNqqm6

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

Mikel_04

C2

ventoclima.hopto.org:8678

Mutex

DC_MUTEX-J9C4X34

Attributes
  • InstallPath

    Temp\Taskmgrk.exe

  • gencode

    mn82vWE9luVq

  • install

    true

  • offline_keylogger

    true

  • password

    Mikel2019

  • persistence

    true

  • reg_key

    taskmgrk

Extracted

Family

darkcomet

Botnet

Mikel50

C2

ventoclima.hopto.org:58589

Mutex

DC_MUTEX-1M2MJNL

Attributes
  • InstallPath

    temp\taskmgrk.exe

  • gencode

    n7v7WtYPsejG

  • install

    true

  • offline_keylogger

    true

  • password

    Mikel2019

  • persistence

    false

  • reg_key

    taskmgrk

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

984559f52d4087243e95e5ad9bb48e8d

Attributes
  • reg_key

    984559f52d4087243e95e5ad9bb48e8d

  • splitter

    boolLove

Extracted

Family

asyncrat

Version

0.5.5A

Botnet

null

C2

192.168.1.9:8080

Mutex

jsdmhpiwkzhk

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Infected

C2

noinmy.ddns.net:9999

Mutex

BW7JOTpOU1me7DhAhz

Attributes
  • encryption_key

    cuGnTFdzZchzOboCjJyu

  • install_name

    dashost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WinServe

  • subdirectory

    DAF

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:2302

127.0.0.1:1604

rdp2.dgsn.fr:213

jasonbrody2019.hopto.org:5555

tzii.myq-see.com:888

127.0.0.1:90

127.0.0.1:5555

memo445.ddns.net:1337

192.168.234.157:4444

192.168.197.128:1337

192.168.1.2:333

174.127.99.217:1016

193.161.193.99:8888

193.161.193.99:57904

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

LimeRevenge

Mutex

3f4-8b13-1cf6666e4149

Extracted

Family

njrat

Version

0.7d

Botnet

B HAT

Mutex

cd1f49ff557041b28396a032e2b161ee

Attributes
  • reg_key

    cd1f49ff557041b28396a032e2b161ee

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

127.0.0.1:5552

Mutex

64dfa84fd6a14d54bb5da02b3d38a087

Attributes
  • reg_key

    64dfa84fd6a14d54bb5da02b3d38a087

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

127.0.0.1:9045

127.0.0.1:8080

192.168.1.7:8080

159.65.15.187:5552

127.0.0.1:5552

unregisteredhost.dynu.net:9045

omnibeees.ddns.com.br:5552

winddns.publicvm.com:5552

whoisdomain.zapto.org:9045

Mutex

13f63b20924948f

Attributes
  • reg_key

    13f63b20924948f

  • splitter

    @!#&^%$

Extracted

Family

njrat

Version

0.7d

Botnet

Test Bypass cho down load

C2

127.0.0.1:1234

Mutex

165d6ed988ac

Attributes
  • reg_key

    165d6ed988ac

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.3.0.0

Botnet

VN333

C2

billythesailor.ddns.net:4782

billythesailor.ddns.net:4707

billythesailor.ddns.net:4708

Mutex

QSR_MUTEX_EZD0hpIqeXmWmfSZR5

Attributes
  • encryption_key

    6dtdGsEtLLsDNKEXgV4zSrTRpfxT2qGQ

  • install_name

    Windows Startup Service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Startup Service

  • subdirectory

    SubDir

Extracted

Family

limerat

Wallets

bc1quugyyqeyjw9z2qdetazwpp6jfpdqnscxj3jxgq

Attributes
  • aes_key

    123

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/zVbipP9N

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

remcos

Botnet

Host

C2

127.0.0.1:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_vruzvedwdwvizfq

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

njrat

Botnet

Visual Studio

Mutex

d72f69dfb2e45fb7b2acbc62f8219a16

Attributes
  • reg_key

    d72f69dfb2e45fb7b2acbc62f8219a16

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

192.168.1.2:1177

ghassan2019.ddns.net:1177

127.0.0.1:1177

192.168.1.11:1337

43.229.151.171:1177

43.229.151.191:1177

103.82.249.74:5552

memo445.ddns.net:5552

saleh200.hopto.org:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes
  • reg_key

    5cd8f17f4086744065eb0992a09e05a2

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

127.0.0.1:8080

1.243.157.185:6522

Mutex

9e549438c56317b24cd87c987b694da8

Attributes
  • reg_key

    9e549438c56317b24cd87c987b694da8

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

0.6.4

Botnet

YourPhone

C2

157.245.220.192:1177

Mutex

bec01544ef6b0bb361f68d796213ad70

Attributes
  • reg_key

    bec01544ef6b0bb361f68d796213ad70

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKeD

C2

85:85

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

YourPhone

Mutex

be7a6446994c64053a860ca10a12ce1e

Attributes
  • reg_key

    be7a6446994c64053a860ca10a12ce1e

Extracted

Family

njrat

Version

0.7d

Botnet

required installation

C2

uxnr.ddns.net:7144

Mutex

a2d1b1b05cb0b58cf6e21aefb30df1db

Attributes
  • reg_key

    a2d1b1b05cb0b58cf6e21aefb30df1db

  • splitter

    |'|'|

Extracted

Family

njrat

Botnet

Person_Anonymous

Mutex

b48bd383056441b474989fb5582a172b

Attributes
  • reg_key

    b48bd383056441b474989fb5582a172b

Extracted

Family

njrat

Botnet

Hacked By HiDDen PerSOn

Mutex

687a11c6212507fa992aa1644b336ef5

Attributes
  • reg_key

    687a11c6212507fa992aa1644b336ef5

Extracted

Family

njrat

Version

im523

Botnet

HacKed By KiLLeR

C2

killerfo2.ddns.net:1177

killerfo22.ddns.net:1177

Mutex

61e53fca4b50eaee89f696351aed3589

Attributes
  • reg_key

    61e53fca4b50eaee89f696351aed3589

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

yano.ddns.net:1605

84.217.125.142:80

127.0.0.1:35855

hostnj.ddns.net:1177

Mutex

7d6d30a897de0ce8a1f25f71e40d0c4d

Attributes
  • reg_key

    7d6d30a897de0ce8a1f25f71e40d0c4d

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

client

C2

akamaru.ddns.net:1605

netcatclink.ddns.net:4444

Mutex

aa15bd929c7132fe8f63fd4d0ae48d6c

Attributes
  • reg_key

    aa15bd929c7132fe8f63fd4d0ae48d6c

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

192.168.234.154:5555

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Version

0.7d

Botnet

Test

C2

10.10.10.25:2525

Mutex

2cf8612501da0a1a00fe5c300206e7a5

Attributes
  • reg_key

    2cf8612501da0a1a00fe5c300206e7a5

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

bustabit

C2

wogusnn.ddns.net:5553

Mutex

d963ad78fcad26750b040b7fff9e4835

Attributes
  • reg_key

    d963ad78fcad26750b040b7fff9e4835

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

HacKed PUBG

C2

cantburn.hopto.org:1177

Mutex

7b5444a8f8ca9a359aadb891c7e9f01b

Attributes
  • reg_key

    7b5444a8f8ca9a359aadb891c7e9f01b

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HHHXXX

C2

black101.ddns.net:1177

Mutex

c7c947d665980e197b736d98adf01cc0

Attributes
  • reg_key

    c7c947d665980e197b736d98adf01cc0

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Kjh

Botnet

마인크래프트

C2

14.46.160.76:5552

Mutex

06d63ada0dc02c6a44ed3c3fc5c89d83

Attributes
  • reg_key

    06d63ada0dc02c6a44ed3c3fc5c89d83

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

x014.hopto.org:4444

192.168.1.16:4444

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

Kulum

C2

34.89.221.19:4444

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Version

0.7d

C2

45.76.29.16:5552

Mutex

738e6a0cd25e647b7eb7d6cdad689401

Attributes
  • reg_key

    738e6a0cd25e647b7eb7d6cdad689401

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Pubg Mobile

C2

Owais5050-61656.portmap.io:56607

Mutex

6cd2713f4eecf0bba2b136a5ea65aac1

Attributes
  • reg_key

    6cd2713f4eecf0bba2b136a5ea65aac1

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

pinatanai

C2

159.65.15.187:5555

Mutex

ca60c420c99495343bf4e523a6b382cc

Attributes
  • reg_key

    ca60c420c99495343bf4e523a6b382cc

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

deme

C2

192.168.1.34:4444

Mutex

4a511581dfdc310e4c48feb89e0695f4

Attributes
  • reg_key

    4a511581dfdc310e4c48feb89e0695f4

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

Kjh

Botnet

HacKed

C2

180.230.116.72:5552

Mutex

8e3709de950aab92ac1a166058ff0595

Attributes
  • reg_key

    8e3709de950aab92ac1a166058ff0595

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

Person

C2

127.0.0.1:456

Mutex

dae31c02cb06222e776b9ccb9207edb1

Attributes
  • reg_key

    dae31c02cb06222e776b9ccb9207edb1

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

gariban

C2

rothilione-41041.portmap.io:41041

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

2020/

Mutex

cad6ec042b06ac31e129fbc8d13eabe6

Attributes
  • reg_key

    cad6ec042b06ac31e129fbc8d13eabe6

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

34234234

C2

146.158.107.225:8408

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

SAD NIGGA HOURS

Mutex

06ba6a3d895af3b2b6823852ec271c67

Attributes
  • reg_key

    06ba6a3d895af3b2b6823852ec271c67

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

195.222.172.238:5228

Mutex

svchost.exe

Attributes
  • reg_key

    svchost.exe

  • splitter

    njrat

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

C2

tolga182-49359.portmap.host:1604

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

Hacked

Mutex

19398dcbfdab92aeb0734478a2451d20

Attributes
  • reg_key

    19398dcbfdab92aeb0734478a2451d20

Extracted

Family

njrat

Botnet

roby

Mutex

4bda69d82f2ad26800386604df9bc3de

Attributes
  • reg_key

    4bda69d82f2ad26800386604df9bc3de

Extracted

Family

njrat

Version

0.7d

Botnet

victime

C2

tutoratderz.ddns.net:5552

tutoratderz.ddns.net:1605

Mutex

61f6d5680d79146f1177cacbfc3022ce

Attributes
  • reg_key

    61f6d5680d79146f1177cacbfc3022ce

  • splitter

    |'|'|

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

127.0.0.1:333

NOREGISTERDOMAIN.ZAPTO.ORG:9045

helpdeskcamfrog.ddns.net:2222

3030pp.hopto.org:1000

r3dc0d3r.duckdns.org:12301

toloro.duckdns.org:5555

fullcdt.hopto.org:333

sensual2020.ddns.net:3000

192.168.1.2:2222

alien007.my-firewall.org:8080

cuenta.hopto.org:5214

Mutex

2cc2152a0871

Extracted

Family

revengerat

Botnet

R A D

C2

KevinDavis-58161.portmap.host:58161

192.168.1.112:4444

kevindavis-58161.portmap.host:58161

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

al3nzii.myq-see.com:4782

hoba7be.ddns.net:4782

127.0.0.1:2323

149.28.201.253:4782

192.168.2.9:1783

86.93.121.149:1783

192.168.234.157:1234

127.0.0.1:4782

192.168.1.100:4800

Mutex

QSR_MUTEX_QSMxTkfFj770mwaMaj

Attributes
  • encryption_key

    zunmXxOhff9hBVcOIy8a

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Kurban

C2

gameranil88-34655.portmap.io:34655

Mutex

QSR_MUTEX_Mq8fSFRilMUG89GjSc

Attributes
  • encryption_key

    wE4B3JaW3vEUIIrvszcF

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    1

  • startup_key

    WindowsUptade

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Force One

C2

umcarasozinho.giize.com:5552

Mutex

QSR_MUTEX_rXuzhrms6m5Gx0d0lk

Attributes
  • encryption_key

    2yzv2TDIqCeGLodEWuqz

  • install_name

    systemhelper.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    systemhelper

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

New

C2

ipaf3.sytes.net:5353

ipaf4.sytes.net:5353

Mutex

QSR_MUTEX_IRT4UgcGhk975OVXdn

Attributes
  • encryption_key

    AWkTsOYsl9wIkH8LUfG4

  • install_name

    Driver.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Drivers

  • subdirectory

    Drivers

Extracted

Family

quasar

Version

1.3.0.0

Botnet

CoDer

C2

skypeprocesshost.ddns.com.br:4782

workwinrarhost.ddns.com.br:4782

office.minhaempresa.tv:4782

authy.winconnection.net:4782

Mutex

QSR_MUTEX_waaDBjBTwvE4jQF1CY

Attributes
  • encryption_key

    syxdBvDrFCjAln3AxGRZ

  • install_name

    0ffice.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    msg

  • subdirectory

    Office

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Ps

C2

45.74.53.124:4782

Mutex

s5v8y/B?E(H+MbQeThWmZq3t6w9z$C&F)J@NcRfUjXn2r5u7x!A%D*G-KaPdSgV

Attributes
  • encryption_key

    sEybIz3EK3xXIpG2z1h2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    0

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Force One PC MASTER

C2

apenasumcarasozinho.hopto.org:5552

Mutex

QSR_MUTEX_HqC3bVY0FTFbgxQirr

Attributes
  • encryption_key

    5RhS5uBxvlwTtS4KFhfw

  • install_name

    systemHelper.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    systemhelper

  • subdirectory

    SubDir

Extracted

Family

nanocore

Version

1.2.2.0

C2

uniformmm.ddns.net:1543

127.0.0.1:1543

spowpow12.hopto.org:5678

127.0.0.1:5678

127.0.0.1:54984

192.168.1.16:54984

ahmedt.duckdns.org:113

ghfsquad.duckdns.org:8192

ludwigh.duckdns.org:8192

jhonjhon4842.ddns.net:53896

jemoederspow.ddns.net:5678

192.168.0.129:54984

Mutex

8c89a093-5ac7-424e-8c76-2e80c157bade

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-10-14T14:42:04.641145036Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1543

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    8c89a093-5ac7-424e-8c76-2e80c157bade

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    uniformmm.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

0.7d

Botnet

Downloading

C2

console-wifi.ddns.net:5552

Mutex

3dfad3bbc7bad1562c683adfee1a8e48

Attributes
  • reg_key

    3dfad3bbc7bad1562c683adfee1a8e48

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

RECUP NOIP

C2

9292.ddns.net:10140

Mutex

1f0c56d11a4a44433acf4728c597fd66

Attributes
  • reg_key

    1f0c56d11a4a44433acf4728c597fd66

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

내따꽈리

C2

asdgdcvxzcv.kro.kr:2222

Mutex

651deda00b27ab86d974483926aa2300

Attributes
  • reg_key

    651deda00b27ab86d974483926aa2300

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

NEW

C2

sharrych.ddns.net:5556

Mutex

723520b640cb39476dbbd3d566c664da

Attributes
  • reg_key

    723520b640cb39476dbbd3d566c664da

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

clienta

C2

achraf4.ddns.net:4500

Mutex

59d56b3983b444c86e2da951d0302f3b

Attributes
  • reg_key

    59d56b3983b444c86e2da951d0302f3b

  • splitter

    |'|'|

Extracted

Family

warzonerat

C2

tresor2020.ddns.net:2020

178.238.8.111:2626

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:999

127.0.0.1:81

Mutex

0Y7117LDCV0730

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.gen-c35e3bdf0d1a7275e73f3c8c9fb57cf874ffa19ffafae649025b1e90cd07c096

    • Size

      16KB

    • MD5

      fc8f4e31d85e796c1efe9b0fabeed23a

    • SHA1

      e15233a69c32761d8ad0e293ce1ed2e1162d5647

    • SHA256

      c35e3bdf0d1a7275e73f3c8c9fb57cf874ffa19ffafae649025b1e90cd07c096

    • SHA512

      36e40d94711c82fb1669e3143d63833a3f7ad1b0ea8dae00287cbcdfd154135a3d7042702e4900193d0dcae94b0d03f7b6a9fb545e20c709fd4fb4a1cae95351

    • SSDEEP

      384:sxF6Mj9VnRq2Rj9oM+bYO+4kr9oDPlMNcLlb5sVKdyS5Ct:sxF6Mj9V5bDclMNE9o

    Score
    3/10
    • Target

      bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.gen-1f2ae650fdefb75fd7775dd7ad86aa81ca7d19595f58b4a07b32a6502079d815

    • Size

      32KB

    • MD5

      24cc1404f53045420a81c054d26daec7

    • SHA1

      986f83fa51663d0f551ea0dc838265d0c23283e9

    • SHA256

      1f2ae650fdefb75fd7775dd7ad86aa81ca7d19595f58b4a07b32a6502079d815

    • SHA512

      de42f387157436eada861078fc799605167795ca3726d123b1ecc8996b618fde13e0b26c6597146d355e1b6ccc808d721f76ef85efeba2ebcf66f8d06520f8ab

    • SSDEEP

      384:ll3kcQnkUoSsJGG5ZfB3yIwt4U3Qu0/7FTgPtTFAqzmVsSiA:lWcQneSwP5ZRs4U3CegsM

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Target

      bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.gen-2f55841f6ccc75acaf8390d8e8c909528a6c62bfd016e788068145c168aec07c

    • Size

      32KB

    • MD5

      3d9cbe669e5802ff418f24d5c251347d

    • SHA1

      c906a8366af35a92e673eafc8fe32202404dd5aa

    • SHA256

      2f55841f6ccc75acaf8390d8e8c909528a6c62bfd016e788068145c168aec07c

    • SHA512

      01f74185cd9065240cceb18b91f08162ade458fc71197df278c26fe75d6a492b1c47e0f2a854ac730a83186d6734cf5b87c4febb178ee157aa557095842301e8

    • SSDEEP

      384:Yl3kcQnkUoSsJGG5ZfB3yIwt4U3Qu0/7FTgPtTFAqzms/sSiR:YWcQneSwP5ZRs4U3CeDsN

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Target

      bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.gen-38c256f94279c37c339b3214008a8a013bba1fdf9baff77ce82ed900d333fd75

    • Size

      32KB

    • MD5

      4f7c77898af19dedbac4dc1044d0629d

    • SHA1

      9c44ba544c678a98e0179c927b892dda12232f96

    • SHA256

      38c256f94279c37c339b3214008a8a013bba1fdf9baff77ce82ed900d333fd75

    • SHA512

      09cf6487e030907e146093dae06c66d5214bd11a626e27d10da21ffc4ea87f957ae37abd6d82aad27c1564daa9f3cbc2798c444aa46f97e73cb07f31fd390a3c

    • SSDEEP

      384:O1x4wBaqvR8OIGGhC35AfTO39WT5tTUFAqzFSVkSKAi:OdB9vRjeCsTBHkX

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

MITRE ATT&CK Enterprise v15

Tasks

static1

low3nhackedratnullupxmikel_04mikel50infectedstealerguestlimerevengeb hatnyan cattest bypass cho down loadvn333hostvisual studiomybotyourphonerequired installationperson_anonymoushacked by hidden personhacked by killerclienttestbustabithacked pubghhhxxx마인크래프트hacked kulum pubg mobile pinatanaidemepersongariban2020/34234234sad nigga hourslimetopherrobyvictimenyancatrevenger a dsystemytoffice04kurbanforce onenewcoderpsforce one pc masterdownloadingrecup noip내따꽈리clientaremotenjratasyncratdarkcometquasarrevengeratsodinokibilimeratremcosnanocorewarzoneratcybergate
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

Score
1/10

behavioral3

njratdiscoverytrojan
Score
10/10

behavioral4

njratdiscoverytrojan
Score
10/10

behavioral5

njratdiscoverytrojan
Score
10/10

behavioral6

njratdiscoverytrojan
Score
10/10

behavioral7

njratdiscoverytrojan
Score
10/10

behavioral8

njratdiscoverytrojan
Score
10/10