Overview

overview

10

Static

static

10

Bootstrapper.exe

windows7-x64

10

Bootstrapper.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bootstrapper.exe

  • Size

    37KB

  • Sample

    241109-tx4xysxhqj

  • MD5

    e08d7967557238a0ee488e405f7865dd

  • SHA1

    b4428239dff65be117076a6d2169c1f5488e098e

  • SHA256

    3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

  • SHA512

    f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

  • SSDEEP

    384:71/yi00nCVpd3vVmyhKrrvFcCRYc2/efurAF+rMRTyN/0L+EcoinblneHQM3epzR:xHANVdhKr7FcRB/eWrM+rMRa8NuGItN

Score
10/10
njratkrasus-pcdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Krasus-Pc

C2

mingrelian.duckdns.org:4444

Mutex

cf0442d73ab4fa4b3573bef8feb3ee75

Attributes
  • reg_key

    cf0442d73ab4fa4b3573bef8feb3ee75

  • splitter

    |'|'|

Targets

    • Target

      Bootstrapper.exe

    • Size

      37KB

    • MD5

      e08d7967557238a0ee488e405f7865dd

    • SHA1

      b4428239dff65be117076a6d2169c1f5488e098e

    • SHA256

      3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

    • SHA512

      f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

    • SSDEEP

      384:71/yi00nCVpd3vVmyhKrrvFcCRYc2/efurAF+rMRTyN/0L+EcoinblneHQM3epzR:xHANVdhKr7FcRB/eWrM+rMRa8NuGItN

    Score
    10/10
    njratkrasus-pcdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks