Overview

overview

10

Static

static

10

5adacfc1a3...d4.exe

windows7-x64

10

5adacfc1a3...d4.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06282cdd7fa54ea991fba55a50f8d8bd.bin

  • Size

    66KB

  • Sample

    241208-bc36tatmav

  • MD5

    18c0eb77cd3d9c73c5148dc48b515b26

  • SHA1

    671d3ff2e15a389e17a72952b29caec7fd5a9eaa

  • SHA256

    5d86709f59630fad645619f75dc3ff07e60e666152e8249b22ffd778c51b5f07

  • SHA512

    ce857dd02165682ced188304f3b3563fe23e2b32cee50c6560e5225ea4544698ad028d57f9d7f75c4ab0b0813610fad69a522b732b56ba9f410b6a483101c47b

  • SSDEEP

    1536:7ozH3Lqeh/iygSig5eTIFowvbp9/ty8jEI4Yv3hrR2aikbzHXYtMj2:7uHeQ0SigosF3p9I8J4YJ92arbfj2

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

hacked

C2

2.tcp.eu.ngrok.io:19294

Mutex

08e0b826461df6aaa32a19d4d44ad609

Attributes
  • reg_key

    08e0b826461df6aaa32a19d4d44ad609

  • splitter

    |'|'|

Targets

    • Target

      5adacfc1a38f978177f6aa03d8e95e584d75e2cd614aa88a686678f50ec4e0d4.exe

    • Size

      85KB

    • MD5

      06282cdd7fa54ea991fba55a50f8d8bd

    • SHA1

      ba2cc621ce142888e001221b881f18dfdf971d16

    • SHA256

      5adacfc1a38f978177f6aa03d8e95e584d75e2cd614aa88a686678f50ec4e0d4

    • SHA512

      2a0fc3c07392ec03dbbb9b23910fec809266d185c73cbf02dc3fbfca5033d1218eb5be576a3852888afbf5a882b9df6d185d3c4a7394bcc113d584600b60f1d1

    • SSDEEP

      1536:NX1CKfcCqx+gRJNfxKGU4Q+GhjOwxLfUP0k6rM5cpGPaOK5e:NX4KEp+yJZxKGlYSwxLu0kc5sPe5e

    Score
    10/10
    njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks