General

  • Target

    sa.exe

  • Size

    223KB

  • Sample

    241227-tfw6saxkal

  • MD5

    84968f988f3fb7eecb1087187d8d4508

  • SHA1

    fa662dfa9ce6edea74bc94596d2079581cc71adf

  • SHA256

    04258bc5802a62bc686aa877e6944f9ab613eafffcb3b00e66db8eb46265d63d

  • SHA512

    9f6a207b3255d53d0b3ee80c933c250926dd36ae4ea03bfb290ea72e6a4033aab75c457073c7a2d46aabbf28347231fa202355f686d6dd4b4f7dd37fb1dbf1af

  • SSDEEP

    6144:16pFBtjbnNc/dqg1ZCuU9B8fMkCMglsgQH:c3nsd5rDS0fg+gG

Malware Config

Extracted

Family

njrat

Version

QUJPTEhC

Botnet

ByABOLHB

C2

abolhb.com:505

Mutex

66f73d9b4e94d115b763eaa1ada7d1f1

Attributes
  • reg_key

    66f73d9b4e94d115b763eaa1ada7d1f1

  • splitter

    |'|'|

Extracted

Family

xworm

C2

review-monroe.gl.at.ply.gg:46169

Mutex

lWfA9hbGdE2IDzRq

Attributes
  • Install_directory

    %AppData%

  • install_file

    Mason.exe

aes.plain

Targets

    • Target

      sa.exe

    • Size

      223KB

    • MD5

      84968f988f3fb7eecb1087187d8d4508

    • SHA1

      fa662dfa9ce6edea74bc94596d2079581cc71adf

    • SHA256

      04258bc5802a62bc686aa877e6944f9ab613eafffcb3b00e66db8eb46265d63d

    • SHA512

      9f6a207b3255d53d0b3ee80c933c250926dd36ae4ea03bfb290ea72e6a4033aab75c457073c7a2d46aabbf28347231fa202355f686d6dd4b4f7dd37fb1dbf1af

    • SSDEEP

      6144:16pFBtjbnNc/dqg1ZCuU9B8fMkCMglsgQH:c3nsd5rDS0fg+gG

    • Detect Xworm Payload

    • Njrat family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks