General

  • Target

    bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe

  • Size

    5.2MB

  • Sample

    241206-mvefystlg1

  • MD5

    386d04e063ab5bb7eb21863ab6ce6d8a

  • SHA1

    58e1ce124c0a38f900d703cb786869f05924ef02

  • SHA256

    bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f

  • SHA512

    a47ac301a0e4fc403a4855f5ee5c6f89a11e1a71e697e2dd2741f0006ceda0821adea721e36cbd6d9df4cb7772d25e35497c28a35b208e2a01076d3f3294cd31

  • SSDEEP

    98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7E:NemFM0jB4v+zfjhFO+mH8L9/F7fbucA

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

ReZero

C2

web-authentication.gl.at.ply.gg:23352

Mutex

0bed19877875a0f3385bb55897b96af0

Attributes
  • reg_key

    0bed19877875a0f3385bb55897b96af0

  • splitter

    |'|'|

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Targets

    • Target

      bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe

    • Size

      5.2MB

    • MD5

      386d04e063ab5bb7eb21863ab6ce6d8a

    • SHA1

      58e1ce124c0a38f900d703cb786869f05924ef02

    • SHA256

      bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f

    • SHA512

      a47ac301a0e4fc403a4855f5ee5c6f89a11e1a71e697e2dd2741f0006ceda0821adea721e36cbd6d9df4cb7772d25e35497c28a35b208e2a01076d3f3294cd31

    • SSDEEP

      98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7E:NemFM0jB4v+zfjhFO+mH8L9/F7fbucA

    • Detect Neshta payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks