Overview

overview

10

Static

static

10

ftcracked/...24.exe

windows7-x64

10

ftcracked/...24.exe

windows10-2004-x64

8

ftcracked/models.dll

windows7-x64

1

ftcracked/models.dll

windows10-2004-x64

1

ftcracked/...nt.dll

windows7-x64

1

ftcracked/...nt.dll

windows10-2004-x64

1

ftcracked/visuals.dll

windows7-x64

1

ftcracked/visuals.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ftcracked.zip

  • Size

    11.3MB

  • Sample

    241231-plc8mssncr

  • MD5

    97e4f72d7ed421ceb8c7f2d376b26dcc

  • SHA1

    3e830ba2e71a08e3f2ec5f4492426e2e96177596

  • SHA256

    5a71796f27aa0e6275867bcfaaa08c199a7bb16457c1a7281486e419a94cd43a

  • SHA512

    6bbd1731614cf0fb24b48c0f8bd4227cd41b51a96c501355fdc972335d0db4166731de549e42cbe816bb509da860e39a898ba870619eea36c8c46778551ffe87

  • SSDEEP

    384:8C617CiM33jBVbJsy8PJ8bAoxPPvfQaUh0ErAF+rMRTyN/0L+EcoinblneHQM3eU:hNbJP8PJQAiHVUtrM+rMRa8NuIKt2J

Score
10/10
njratsvhost.exediscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

svhost.exe

C2

5.39.43.50:5234

Mutex

ea0e047ed4e2ee535255119cbaabb438

Attributes
  • reg_key

    ea0e047ed4e2ee535255119cbaabb438

  • splitter

    |'|'|

Targets

    • Target

      ftcracked/FTcrack29.12.24.exe

    • Size

      37KB

    • MD5

      87cfeda63611ab5fd13365448322336f

    • SHA1

      be0b2cf9d79deac19d507911762a662e2b1ee806

    • SHA256

      50c8280cae98b74c34c674348a119bad9c5f07e8ddb766f141056a9dcb0eaa57

    • SHA512

      40ddd3f87f3281bfbb459977177384be825b97786cb333db0108b8a0eb72aea14bb22794c84e5a2ca10fcc3b9f083085d7fd864a3751c81e2b8ae7831b4e8b89

    • SSDEEP

      384:IC617CiM33jBVbJsy8PJ8bAoxPPvfQaUh0ErAF+rMRTyN/0L+EcoinblneHQM3eJ:NNbJP8PJQAiHVUtrM+rMRa8NuIKt

    Score
    10/10
    njratsvhost.exediscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

    • Target

      ftcracked/models.dll

    • Size

      10KB

    • MD5

      f49a3f9bcc49043e92af4646738756de

    • SHA1

      5509b4c2c4ee71e74671764e6a06ac78357e68bf

    • SHA256

      1ad2c0ec6340a0aa260dab25634b6c26333ed0215bff8d6275be7dea8ed2abbf

    • SHA512

      bc9b04c7af6c34fe0666a9dc2891155542de5a8bbfc3cbac35f963f5a225fe67e29f02754577c22fd560e22504a4d514c630f64a3ba51a2d28417950269ed2f8

    • SSDEEP

      6:MXPssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssf:Wr

    Score
    1/10
    behavioral3behavioral4

    • Target

      ftcracked/selectpoint.dll

    • Size

      160KB

    • MD5

      35d21644bf20be9eb6240369eea34c8c

    • SHA1

      3572ab9bd2806907d6535c828fd2184461c00000

    • SHA256

      4d255a0b2bb12f005de95e86799bcfb09d21442d3d5c061cec1dca24d674ecfd

    • SHA512

      f6759016f1ac717dc9b58d4fd806e92643f80f9617f7b89a66d089c165609777b7610033f8995d47d70a08dcf78d50db630039423c87868f6f89ea106d512c68

    • SSDEEP

      6:MXPssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssn:WT

    Score
    1/10
    behavioral5behavioral6

    • Target

      ftcracked/visuals.dll

    • Size

      11.1MB

    • MD5

      4fd95ad9dadfeaad364484e7938de4d1

    • SHA1

      1c17b69242dff428b1f4fe0e61513e856e057d52

    • SHA256

      e1d2fb447406399199856cc3c0293f9f7b80b3dae6c1a552766cac93154a1a6d

    • SHA512

      3de5deccde6ef25d7c959dea8a1171c24273502a954533bb029b0dea0e4c591796c6dbdd2f4dad26e2ff4a7af0f97119431b5b6b9c0a9eb8db35ce62944b5ebc

    • SSDEEP

      6:MXPssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssb:WH

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks