General

  • Target

    e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe

  • Size

    5.2MB

  • Sample

    241206-ktmptszjdy

  • MD5

    4786e70687f230ac3d08946bd3b08540

  • SHA1

    bcc4228899c875d3444be0830b5e4bdd5d9b096a

  • SHA256

    e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53

  • SHA512

    2719b5bb5d5797b530463e0e132496a224ea061fc897c66779037214c5e63c5b1a7df3422c1e6f9ddd2101cacda344e013b2c11ae078ec4bd8ea22332a213486

  • SSDEEP

    98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7:NemFM0jB4v+zfjhFO+mH8L9/F7fbuc

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

ReZero

C2

web-authentication.gl.at.ply.gg:23352

Mutex

0bed19877875a0f3385bb55897b96af0

Attributes
  • reg_key

    0bed19877875a0f3385bb55897b96af0

  • splitter

    |'|'|

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Targets

    • Target

      e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe

    • Size

      5.2MB

    • MD5

      4786e70687f230ac3d08946bd3b08540

    • SHA1

      bcc4228899c875d3444be0830b5e4bdd5d9b096a

    • SHA256

      e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53

    • SHA512

      2719b5bb5d5797b530463e0e132496a224ea061fc897c66779037214c5e63c5b1a7df3422c1e6f9ddd2101cacda344e013b2c11ae078ec4bd8ea22332a213486

    • SSDEEP

      98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7:NemFM0jB4v+zfjhFO+mH8L9/F7fbuc

    • Detect Neshta payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables RegEdit via registry modification

    • Disables cmd.exe use via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks