Overview

overview

10

Static

static

10

bb/BD2.Net...or.exe

windows10-2004-x64

8

bb/BD2.Net...or.exe

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb.rar

  • Size

    1.4MB

  • Sample

    241017-kaaadsshqj

  • MD5

    82b05d52e36ffd4144a3c7d91bb41b6d

  • SHA1

    6cbd63158d4f7b6c058b9290fbb3fd3771edc0bd

  • SHA256

    489a0bf7836aa97dae47450d649b8ab40172c96b8df5800d721459401a81ef94

  • SHA512

    4989ad06190d45b3629441b74e72f1ded76d059ee5d3ea26003acc3449b6b2bdc2e8da5c47e4759952f34b72726482a95162f88ab6f8a846ca1ec5de0204971f

  • SSDEEP

    24576:WoQyZvN+4y9w05uHxts8MwdDhGXsnFkMW30mII4Fw8cpukXB9+KBueCp0SrWqIr3:gyxN+N9808MwdFFkMjmII42pu8CpFrWx

Score
10/10
njrat?!discoveryevasionmotwpersistencephishingprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

?!

C2

away-displays.gl.at.ply.gg:26916

Mutex

0d908776515dcc85e2d9e12ad50db4e5

Attributes
  • reg_key

    0d908776515dcc85e2d9e12ad50db4e5

  • splitter

    |'|'|

Targets

    • Target

      bb/BD2.Net Injector.exe

    • Size

      911KB

    • MD5

      f896fd2230ec80959e01c4d3ede8cd70

    • SHA1

      02a15f21a6f9664d1c7923228d24051bcf6afa0f

    • SHA256

      1876a63391a12016b8b5ae4fb7cc67d0f1ab163f51c673a79ee98e01fe01055f

    • SHA512

      9bbe552ecf9f33b41656068513516469c6c068b99fb76babdfc00f0252bdf13c7d3a9dfdffcb46c18f73fa3b771f3b887fa053008b74b2e38a6d08e6f8bfe7b6

    • SSDEEP

      3072:voTMwtSRo6lhc7NEZgxgRmGGB1jGKGbhgoaKbeRDuoRlAwKBb9RkxYJ:QowtqoqMEOOmGGfjGRioCRDjRlA1Rkx

    Score
    8/10
    discoveryevasionmotwpersistencephishingprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks