Overview

overview

10

Static

static

10

MoonHub.exe

windows7-x64

10

MoonHub.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MoonHub.exe

  • Size

    55KB

  • Sample

    250115-svgtzawqdw

  • MD5

    d33c25da94cb95d1e34f9d22cfd51f99

  • SHA1

    b0e82ba0f916dd2e104e612c9a5dc73a96a7b2e1

  • SHA256

    f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047

  • SHA512

    460d29f349edf87720b4841bbbd5f8c9b63c81b11d893b9625622ef5912e1f6ded6c85fbe2ed670a31788df9eb4c1d149994cc14f23413d62023e51a2b30e5e1

  • SSDEEP

    1536:V/pMDnE4uNRty4XzPhhDVwsNMDHXExI3pm+m:rMDnlYk4XdhDVwsNMDHXExI3pm

Score
10/10
njratniggerdiscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

nigger

C2

2.tcp.eu.ngrok.io:13018

Mutex

49a48a7812fddb0d43bb9f70f2221a57

Attributes
  • reg_key

    49a48a7812fddb0d43bb9f70f2221a57

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      MoonHub.exe

    • Size

      55KB

    • MD5

      d33c25da94cb95d1e34f9d22cfd51f99

    • SHA1

      b0e82ba0f916dd2e104e612c9a5dc73a96a7b2e1

    • SHA256

      f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047

    • SHA512

      460d29f349edf87720b4841bbbd5f8c9b63c81b11d893b9625622ef5912e1f6ded6c85fbe2ed670a31788df9eb4c1d149994cc14f23413d62023e51a2b30e5e1

    • SSDEEP

      1536:V/pMDnE4uNRty4XzPhhDVwsNMDHXExI3pm+m:rMDnlYk4XdhDVwsNMDHXExI3pm

    Score
    10/10
    njratniggerdiscoveryevasionexecutionpersistencetrojan

    • Njrat family

      njrat

    • UAC bypass

      evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Stops running service(s)

      evasionexecution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks