General

  • Target

    Windows Loader 2.2.2 Final Activate All 7 windows 2014.zip

  • Size

    2.4MB

  • Sample

    250120-atr97stjfq

  • MD5

    e4fc652fdd4845c582571f2381eca6cf

  • SHA1

    6d64ad5af28e015d9ee90c68945339ff741269f3

  • SHA256

    5adca91194964a3a48af7f211f6dbdaf1699d069b63af53698e67de139f90bc7

  • SHA512

    e9a18c45e2001ee179065d02a512b0341eee78e840a09be30a32a631383e7b868f4da2abe492bde4a56b9c96bcf4db5ad49de6f9fcfdad92e1350285d3e1c087

  • SSDEEP

    49152:1gAXKEfHwESmQ9a2xBFG4l0i0LitfznPOc8c5M0grRPtCQ:1NXKEfQES620li0Lit7nPEtP

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

winloader

C2

micho.ddns.info:1290

Mutex

b4b06fba73691824a636375169e7be53

Attributes
  • reg_key

    b4b06fba73691824a636375169e7be53

  • splitter

    |'|'|

Targets

    • Target

      Windows Loader 2.2.2 Final Activate All 7 windows 2014/Keys.ini

    • Size

      15KB

    • MD5

      3ba4950bcf43b1c7b714a1d93b57ea86

    • SHA1

      31e7963d19a5e7282d1b6e7476b8923ab26cb8a0

    • SHA256

      1384c5fd758a1bd8c9372594503e22d71b0877d332886a1b7d50cb86c4a0a13c

    • SHA512

      2165e5047334940b77c93bbe4b2eaae1fe924069a9f946f39dd0f5533c0e161a7322e63de378194b96294d33c494240209dd1f6f32dd45c580cb0c058dd93148

    • SSDEEP

      384:WskcEQbtTPQ7xa3VUEV/HwRGjyfdW6fnxZbQr:Ws2QJw+hPz+flbQr

    Score
    1/10
    • Target

      Windows Loader 2.2.2 Final Activate All 7 windows 2014/Read me.txt

    • Size

      32KB

    • MD5

      3e83d11dcd0d1dc8b6cf531353cf9e81

    • SHA1

      0853bfd45b91252a7dc10bd34a4aed267ee67e43

    • SHA256

      b5fcbf4b91c436640aab0e8106f942cd47080bf799a22d747b5cf898bd13475c

    • SHA512

      18f67001f935021a80b4ee81a9a8ed3b2f9239f8f1d2779114631f90aef4d91d109b15c0722d8cdc13bbc6bac652e361b0835e6a075a3ff55fd4ed7f6f393fcc

    • SSDEEP

      768:pKymLFrk3yV2pX/htvMGOHkOaf7luCfp3yeIvWVp9h:o5k3yV2pvhtvMGOHkOaf75fp3yeuWVpX

    Score
    1/10
    • Target

      Windows Loader 2.2.2 Final Activate All 7 windows 2014/Windows Loader.exe

    • Size

      2.8MB

    • MD5

      5c59dc709c68247d4b4bab4e516f0860

    • SHA1

      0c6af593d65518cd477e6a1b27bc3213fa916367

    • SHA256

      5ba8646c24d7f2461fabe1a8d63de50c257ea5f77abf1a865ac7f48b8f47f73b

    • SHA512

      3dbdba310827a1465b032a05da59f0d0a69e39cc72464a92988959b60f7bc7d0df2caad4ea59fafb173a3766bb00a0a59585637cfea0ec840ac9d568ac3d16f7

    • SSDEEP

      49152:kVg5tQ7a/pLsESokRMyJLD2Yv0O0LODBz1HY4QmrQCqVjB9S95:Og568oESKys7O0LODd1H61

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks