Overview

overview

10

Static

static

10

BootstrapperV1.26.exe

windows7-x64

10

BootstrapperV1.26.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraBootstrapper1.zip

  • Size

    309KB

  • Sample

    241005-qg3heaycjb

  • MD5

    d2574c58662cb5a8b2a9c486f1e4c58a

  • SHA1

    d47c628f8b1b3de2fd8845806598e1234691a3c0

  • SHA256

    5d4cbcf52512f617ff01e22750c0339f5b022b106b8625fdae513679414b120b

  • SHA512

    89900468bfe346bc3ebb8e929d944b8fa05aa07bf143e522e2c2523627d4de2d15ddc6be42920f41d8ae4c8dfcc0a3da75702603def49ea8c06e81a554ca2f8b

  • SSDEEP

    6144:AHarJ+W54EjJfR1XaJOSW8af7JmExz4nxmf5vQVrmn58j+WWW:A6vTJfRIJOvRD8scMxSmnCCG

Score
10/10
njrat31discoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

31

C2

txx8luo.localto.net:3989

Mutex

0f4f57f0b5499edfd1915b0e98cfe851

Attributes
  • reg_key

    0f4f57f0b5499edfd1915b0e98cfe851

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      BootstrapperV1.26.exe

    • Size

      863KB

    • MD5

      cc3f2a1f63f68e4014bc3b8a0d3ddf7c

    • SHA1

      82eb314b035f073332a7a4a9a10449513ccc1d03

    • SHA256

      43182b7bf6f7d1c9e18f1c3f9dd916986d6adb81928ee0b2e57d6572d22bca4a

    • SHA512

      6f6839fb986475b0b8d95132a5588c9d0f956e8b9cc1d894fc755cc8d365a11daba321a05aac1db295586a4d3a2b290c7ea80446948c57c4af0d33f21dd5f2da

    • SSDEEP

      12288:TATougEx9nCvJ4f05oOGoGH/j0MNVcfzJXcBPXBNr8L5h:k0NY9CvzoVoGH/j0ucrJXOu

    Score
    10/10
    njrat31discoverypersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks