Overview

overview

10

Static

static

10

Паки.exe

windows7-x64

10

Паки.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    044f5254cc209825511ed268a514f1e19b3e9e004506a7b36ce8f201fee91808.rar

  • Size

    37KB

  • Sample

    250103-dpb9zazmhn

  • MD5

    21b710173d40350fc8e82dba01159908

  • SHA1

    1adfb0264a644f5697effad5bdbf3c408c646a1c

  • SHA256

    044f5254cc209825511ed268a514f1e19b3e9e004506a7b36ce8f201fee91808

  • SHA512

    c93dc515928c944c8bbae365817902e5a93b9eee562abd460138125267d592c0624348a55e006297852135bdcb565db2e3096a809a21c015ff820b9b091bbca3

  • SSDEEP

    384:yerP97LsikX9zNf/1uyU7/I3/9sWAnurAF+rMRTyN/0L+EcoinblneHQM3epzXLX:LPlil1lU7/I1dAurM+rMRa8NuV9tX

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

46.109.131.147:5552

Mutex

ec8be36c3337b73abe93167b086d8ebe

Attributes
  • reg_key

    ec8be36c3337b73abe93167b086d8ebe

  • splitter

    |'|'|

Targets

    • Target

      Паки.exe

    • Size

      37KB

    • MD5

      6bea33a53a7d10b5473d8e0c97ddbeb5

    • SHA1

      95a64b2c457f0a95ae96254ce4c12bdb85092c7a

    • SHA256

      fb6369a3a740bd22d773ae27e05d18f2893c6f1ad347f59723e9876983aec496

    • SHA512

      50e8aa941b0a7900e79109b6a39b10236705ffcc02fcf91f21f4b86d52bbf8dc7853084c812ccb29907ae6fc384c6a9d8ec674fb1698faf6d7d18af6977858f0

    • SSDEEP

      384:JrP97LsikX9zNf/1uyU7/I3/9sWAnurAF+rMRTyN/0L+EcoinblneHQM3epzXLNx:lPlil1lU7/I1dAurM+rMRa8NuV9t

    Score
    10/10
    njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks