General

  • Target

    Nordvpn Checker by xRisky.zip

  • Size

    1.4MB

  • Sample

    241211-wr5cmsxrcn

  • MD5

    72079997556ea2c486d05c1201ccff9c

  • SHA1

    77bc689dcbb78e3d5ac2cb6620286c24ca7fe29b

  • SHA256

    901d3914e57588b3cabe641fc1b46ab7416b79f3019e5231bef789013f331e8a

  • SHA512

    4bd21dceb8b7b6fcb993548d2087fcd07597c92e7cfe76cbde59b5b35e5cf14fec7f392aedb6a09640e8a0f2b79bad07f35fd88ccb8c0f14db37ef242cd9df91

  • SSDEEP

    24576:0k6xzKOseCms56+E8DHLPpIHxCKKTWvd31RV8ddK6I9nreI+vx31SaVK:0dxbtsjrPmHIKQWvVVOKtKI2lRVK

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Checker 2alpes

C2

pur3vpn.ddns.net:5559

Mutex

bfb7b23723ac9ef23fe5ca9d03794c39

Attributes
  • reg_key

    bfb7b23723ac9ef23fe5ca9d03794c39

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Checkers

C2

pur3vpn.ddns.net:5559

Mutex

cc903deaeeb6a6a7c2a29474210cea6f

Attributes
  • reg_key

    cc903deaeeb6a6a7c2a29474210cea6f

  • splitter

    |'|'|

Targets

    • Target

      Nordvpn Checker by xRisky/NordVPN Checker .exe

    • Size

      1.0MB

    • MD5

      395c953449cf3bb03a51a78844417ad0

    • SHA1

      731ed26c2d6509f6f7f20dc9712a23b21e6a6283

    • SHA256

      1dc2c6e80ec0e26096859319907b456a505979b4931c6bb369f77acf69e940a2

    • SHA512

      b1c251d2e96dd5e6fa8e6ae4924c941dd473e6452ac6a931f273b350c68c7ebb5e64f4f2e89d4504e5eb485a43619f72eaa5936e0c33d84b318fc8709f0ad957

    • SSDEEP

      24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaaM7c6+Ea75W:ph+ZkldoPK8YaaLW

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • Target

      Nordvpn Checker by xRisky/Nordvpn Checker by xRisky.exe

    • Size

      1.2MB

    • MD5

      4a8a6e0dee9058400bb2e55fabc14f75

    • SHA1

      a7d28731d4f1829bfd1af9273ca9a61fa05f9ede

    • SHA256

      86cc041b294b33d95ec7e78954b9a03fbbdd0d08f5eee39bc9ee3c6fab053694

    • SHA512

      50b0d6dad029961732bb3eb660f393bd7edbeaf7393182ad654af7ceb81eed07e5beab64683293bbfe8cf90241035c2c80a825e4f963523a9c54231ee005ffb3

    • SSDEEP

      24576:PCdxte/80jYLT3U1jfsWa0U3Ui9V1aI+vx31U3DQ9:Ow80cTsjkWa0GsIklp9

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks