Resubmissions

03/02/2025, 21:57

250203-1t5hmsvmat 10

03/02/2025, 04:37

250203-e896saslgn 10

31/01/2025, 18:35

250131-w8gmxatmc1 10

General

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Low3n

C2

192.168.100.58:443

192.168.42.7:443

Mutex

e4c7f2e5b82fac0d624ab661f39b28fa

Attributes
  • reg_key

    e4c7f2e5b82fac0d624ab661f39b28fa

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1177

104.238.137.213:5552

192.168.89.1:1177

192.168.1.5:666

myhotkkk444.duckdns.org:4444

JohnRicardomilos-33746.portmap.io:1605

127.0.0.1:5552

192.168.56.1:5552

shytanoff.ddns.net:1177

127.0.0.1:2020

192.168.0.27:4444

shytangz12.ddns.net:1177

dalpzy.ddns.net:1085

updatesystemtool.ddns.net:1337

jhonjhon4842.ddns.net:1177

192.168.1.16:5552

fidapeste.duckdns.org:5552

harris974.ddns.net:4444

127.0.0.1:4789

bo6y1.hopto.org:1609

Mutex

aeeb7a2903c8c537463f288bcc5eed2e

Attributes
  • reg_key

    aeeb7a2903c8c537463f288bcc5eed2e

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

127.0.0.1:9040

bomi.duckdns.org:8080

192.168.1.7:8080

jhonjhon4842.ddns.net:6606

jhonjhon4842.ddns.net:3389

denemeiso1.duckdns.org:5060

sam144169-56334.portmap.io:56334

sam144169-56334.portmap.io:5552

sam144169-56334.portmap.io:5050

webforma.chickenkiller.com:56334

webforma.chickenkiller.com:5552

webforma.chickenkiller.com:5050

webdata.ddns.net:56334

webdata.ddns.net:5552

webdata.ddns.net:5050

62.108.37.42:8808

noregisterdomain.zapto.org:9040

82.84.85.59:1608

number2.duckdns.org:6606

number2.duckdns.org:7707

Mutex

ertretythhrrthttrhth

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

darkcomet

Botnet

hacked

C2

sexystar.myq-see.com:5552

Mutex

DC_MUTEX-6BSXQXU

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    1JlJEAuNqqm6

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

Mikel_04

C2

ventoclima.hopto.org:8678

Mutex

DC_MUTEX-J9C4X34

Attributes
  • InstallPath

    Temp\Taskmgrk.exe

  • gencode

    mn82vWE9luVq

  • install

    true

  • offline_keylogger

    true

  • password

    Mikel2019

  • persistence

    true

  • reg_key

    taskmgrk

Extracted

Family

darkcomet

Botnet

Mikel50

C2

ventoclima.hopto.org:58589

Mutex

DC_MUTEX-1M2MJNL

Attributes
  • InstallPath

    temp\taskmgrk.exe

  • gencode

    n7v7WtYPsejG

  • install

    true

  • offline_keylogger

    true

  • password

    Mikel2019

  • persistence

    false

  • reg_key

    taskmgrk

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

984559f52d4087243e95e5ad9bb48e8d

Attributes
  • reg_key

    984559f52d4087243e95e5ad9bb48e8d

  • splitter

    boolLove

Extracted

Family

asyncrat

Version

0.5.5A

Botnet

null

C2

192.168.1.9:8080

Mutex

jsdmhpiwkzhk

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Infected

C2

noinmy.ddns.net:9999

Mutex

BW7JOTpOU1me7DhAhz

Attributes
  • encryption_key

    cuGnTFdzZchzOboCjJyu

  • install_name

    dashost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WinServe

  • subdirectory

    DAF

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:2302

127.0.0.1:1604

rdp2.dgsn.fr:213

jasonbrody2019.hopto.org:5555

tzii.myq-see.com:888

127.0.0.1:90

127.0.0.1:5555

memo445.ddns.net:1337

192.168.234.157:4444

192.168.197.128:1337

192.168.1.2:333

174.127.99.217:1016

193.161.193.99:8888

193.161.193.99:57904

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

LimeRevenge

Mutex

3f4-8b13-1cf6666e4149

Extracted

Family

njrat

Version

0.7d

Botnet

B HAT

Mutex

cd1f49ff557041b28396a032e2b161ee

Attributes
  • reg_key

    cd1f49ff557041b28396a032e2b161ee

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

127.0.0.1:5552

Mutex

64dfa84fd6a14d54bb5da02b3d38a087

Attributes
  • reg_key

    64dfa84fd6a14d54bb5da02b3d38a087

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

127.0.0.1:9045

127.0.0.1:8080

192.168.1.7:8080

159.65.15.187:5552

127.0.0.1:5552

unregisteredhost.dynu.net:9045

omnibeees.ddns.com.br:5552

winddns.publicvm.com:5552

whoisdomain.zapto.org:9045

Mutex

13f63b20924948f

Attributes
  • reg_key

    13f63b20924948f

  • splitter

    @!#&^%$

Extracted

Family

njrat

Version

0.7d

Botnet

Test Bypass cho down load

C2

127.0.0.1:1234

Mutex

165d6ed988ac

Attributes
  • reg_key

    165d6ed988ac

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.3.0.0

Botnet

VN333

C2

billythesailor.ddns.net:4782

billythesailor.ddns.net:4707

billythesailor.ddns.net:4708

Mutex

QSR_MUTEX_EZD0hpIqeXmWmfSZR5

Attributes
  • encryption_key

    6dtdGsEtLLsDNKEXgV4zSrTRpfxT2qGQ

  • install_name

    Windows Startup Service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Startup Service

  • subdirectory

    SubDir

Extracted

Family

limerat

Wallets

bc1quugyyqeyjw9z2qdetazwpp6jfpdqnscxj3jxgq

Attributes
  • aes_key

    123

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/zVbipP9N

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

remcos

Botnet

Host

C2

127.0.0.1:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_vruzvedwdwvizfq

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

njrat

Botnet

Visual Studio

Mutex

d72f69dfb2e45fb7b2acbc62f8219a16

Attributes
  • reg_key

    d72f69dfb2e45fb7b2acbc62f8219a16

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

192.168.1.2:1177

ghassan2019.ddns.net:1177

127.0.0.1:1177

192.168.1.11:1337

43.229.151.171:1177

43.229.151.191:1177

103.82.249.74:5552

memo445.ddns.net:5552

saleh200.hopto.org:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes
  • reg_key

    5cd8f17f4086744065eb0992a09e05a2

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

127.0.0.1:8080

1.243.157.185:6522

Mutex

9e549438c56317b24cd87c987b694da8

Attributes
  • reg_key

    9e549438c56317b24cd87c987b694da8

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

0.6.4

Botnet

YourPhone

C2

157.245.220.192:1177

Mutex

bec01544ef6b0bb361f68d796213ad70

Attributes
  • reg_key

    bec01544ef6b0bb361f68d796213ad70

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKeD

C2

85:85

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

YourPhone

Mutex

be7a6446994c64053a860ca10a12ce1e

Attributes
  • reg_key

    be7a6446994c64053a860ca10a12ce1e

Extracted

Family

njrat

Version

0.7d

Botnet

required installation

C2

uxnr.ddns.net:7144

Mutex

a2d1b1b05cb0b58cf6e21aefb30df1db

Attributes
  • reg_key

    a2d1b1b05cb0b58cf6e21aefb30df1db

  • splitter

    |'|'|

Extracted

Family

njrat

Botnet

Person_Anonymous

Mutex

b48bd383056441b474989fb5582a172b

Attributes
  • reg_key

    b48bd383056441b474989fb5582a172b

Extracted

Family

njrat

Botnet

Hacked By HiDDen PerSOn

Mutex

687a11c6212507fa992aa1644b336ef5

Attributes
  • reg_key

    687a11c6212507fa992aa1644b336ef5

Extracted

Family

njrat

Version

im523

Botnet

HacKed By KiLLeR

C2

killerfo2.ddns.net:1177

killerfo22.ddns.net:1177

Mutex

61e53fca4b50eaee89f696351aed3589

Attributes
  • reg_key

    61e53fca4b50eaee89f696351aed3589

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

yano.ddns.net:1605

84.217.125.142:80

127.0.0.1:35855

hostnj.ddns.net:1177

Mutex

7d6d30a897de0ce8a1f25f71e40d0c4d

Attributes
  • reg_key

    7d6d30a897de0ce8a1f25f71e40d0c4d

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

client

C2

akamaru.ddns.net:1605

netcatclink.ddns.net:4444

Mutex

aa15bd929c7132fe8f63fd4d0ae48d6c

Attributes
  • reg_key

    aa15bd929c7132fe8f63fd4d0ae48d6c

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

192.168.234.154:5555

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Version

0.7d

Botnet

Test

C2

10.10.10.25:2525

Mutex

2cf8612501da0a1a00fe5c300206e7a5

Attributes
  • reg_key

    2cf8612501da0a1a00fe5c300206e7a5

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

bustabit

C2

wogusnn.ddns.net:5553

Mutex

d963ad78fcad26750b040b7fff9e4835

Attributes
  • reg_key

    d963ad78fcad26750b040b7fff9e4835

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

HacKed PUBG

C2

cantburn.hopto.org:1177

Mutex

7b5444a8f8ca9a359aadb891c7e9f01b

Attributes
  • reg_key

    7b5444a8f8ca9a359aadb891c7e9f01b

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HHHXXX

C2

black101.ddns.net:1177

Mutex

c7c947d665980e197b736d98adf01cc0

Attributes
  • reg_key

    c7c947d665980e197b736d98adf01cc0

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Kjh

Botnet

마인크래프트

C2

14.46.160.76:5552

Mutex

06d63ada0dc02c6a44ed3c3fc5c89d83

Attributes
  • reg_key

    06d63ada0dc02c6a44ed3c3fc5c89d83

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

x014.hopto.org:4444

192.168.1.16:4444

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

Kulum

C2

34.89.221.19:4444

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Version

0.7d

C2

45.76.29.16:5552

Mutex

738e6a0cd25e647b7eb7d6cdad689401

Attributes
  • reg_key

    738e6a0cd25e647b7eb7d6cdad689401

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Pubg Mobile

C2

Owais5050-61656.portmap.io:56607

Mutex

6cd2713f4eecf0bba2b136a5ea65aac1

Attributes
  • reg_key

    6cd2713f4eecf0bba2b136a5ea65aac1

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

pinatanai

C2

159.65.15.187:5555

Mutex

ca60c420c99495343bf4e523a6b382cc

Attributes
  • reg_key

    ca60c420c99495343bf4e523a6b382cc

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

deme

C2

192.168.1.34:4444

Mutex

4a511581dfdc310e4c48feb89e0695f4

Attributes
  • reg_key

    4a511581dfdc310e4c48feb89e0695f4

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

Kjh

Botnet

HacKed

C2

180.230.116.72:5552

Mutex

8e3709de950aab92ac1a166058ff0595

Attributes
  • reg_key

    8e3709de950aab92ac1a166058ff0595

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

Person

C2

127.0.0.1:456

Mutex

dae31c02cb06222e776b9ccb9207edb1

Attributes
  • reg_key

    dae31c02cb06222e776b9ccb9207edb1

  • splitter

    |'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

gariban

C2

rothilione-41041.portmap.io:41041

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

2020/

Mutex

cad6ec042b06ac31e129fbc8d13eabe6

Attributes
  • reg_key

    cad6ec042b06ac31e129fbc8d13eabe6

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

34234234

C2

146.158.107.225:8408

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

SAD NIGGA HOURS

Mutex

06ba6a3d895af3b2b6823852ec271c67

Attributes
  • reg_key

    06ba6a3d895af3b2b6823852ec271c67

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

195.222.172.238:5228

Mutex

svchost.exe

Attributes
  • reg_key

    svchost.exe

  • splitter

    njrat

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

C2

tolga182-49359.portmap.host:1604

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Botnet

Hacked

Mutex

19398dcbfdab92aeb0734478a2451d20

Attributes
  • reg_key

    19398dcbfdab92aeb0734478a2451d20

Extracted

Family

njrat

Botnet

roby

Mutex

4bda69d82f2ad26800386604df9bc3de

Attributes
  • reg_key

    4bda69d82f2ad26800386604df9bc3de

Extracted

Family

njrat

Version

0.7d

Botnet

victime

C2

tutoratderz.ddns.net:5552

tutoratderz.ddns.net:1605

Mutex

61f6d5680d79146f1177cacbfc3022ce

Attributes
  • reg_key

    61f6d5680d79146f1177cacbfc3022ce

  • splitter

    |'|'|

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

127.0.0.1:333

NOREGISTERDOMAIN.ZAPTO.ORG:9045

helpdeskcamfrog.ddns.net:2222

3030pp.hopto.org:1000

r3dc0d3r.duckdns.org:12301

toloro.duckdns.org:5555

fullcdt.hopto.org:333

sensual2020.ddns.net:3000

192.168.1.2:2222

alien007.my-firewall.org:8080

cuenta.hopto.org:5214

Mutex

2cc2152a0871

Extracted

Family

revengerat

Botnet

R A D

C2

KevinDavis-58161.portmap.host:58161

192.168.1.112:4444

kevindavis-58161.portmap.host:58161

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

al3nzii.myq-see.com:4782

hoba7be.ddns.net:4782

127.0.0.1:2323

149.28.201.253:4782

192.168.2.9:1783

86.93.121.149:1783

192.168.234.157:1234

127.0.0.1:4782

192.168.1.100:4800

Mutex

QSR_MUTEX_QSMxTkfFj770mwaMaj

Attributes
  • encryption_key

    zunmXxOhff9hBVcOIy8a

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Kurban

C2

gameranil88-34655.portmap.io:34655

Mutex

QSR_MUTEX_Mq8fSFRilMUG89GjSc

Attributes
  • encryption_key

    wE4B3JaW3vEUIIrvszcF

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    1

  • startup_key

    WindowsUptade

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Force One

C2

umcarasozinho.giize.com:5552

Mutex

QSR_MUTEX_rXuzhrms6m5Gx0d0lk

Attributes
  • encryption_key

    2yzv2TDIqCeGLodEWuqz

  • install_name

    systemhelper.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    systemhelper

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

New

C2

ipaf3.sytes.net:5353

ipaf4.sytes.net:5353

Mutex

QSR_MUTEX_IRT4UgcGhk975OVXdn

Attributes
  • encryption_key

    AWkTsOYsl9wIkH8LUfG4

  • install_name

    Driver.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Drivers

  • subdirectory

    Drivers

Extracted

Family

quasar

Version

1.3.0.0

Botnet

CoDer

C2

skypeprocesshost.ddns.com.br:4782

workwinrarhost.ddns.com.br:4782

office.minhaempresa.tv:4782

authy.winconnection.net:4782

Mutex

QSR_MUTEX_waaDBjBTwvE4jQF1CY

Attributes
  • encryption_key

    syxdBvDrFCjAln3AxGRZ

  • install_name

    0ffice.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    msg

  • subdirectory

    Office

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Ps

C2

45.74.53.124:4782

Mutex

s5v8y/B?E(H+MbQeThWmZq3t6w9z$C&F)J@NcRfUjXn2r5u7x!A%D*G-KaPdSgV

Attributes
  • encryption_key

    sEybIz3EK3xXIpG2z1h2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    0

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Force One PC MASTER

C2

apenasumcarasozinho.hopto.org:5552

Mutex

QSR_MUTEX_HqC3bVY0FTFbgxQirr

Attributes
  • encryption_key

    5RhS5uBxvlwTtS4KFhfw

  • install_name

    systemHelper.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    systemhelper

  • subdirectory

    SubDir

Extracted

Family

nanocore

Version

1.2.2.0

C2

uniformmm.ddns.net:1543

127.0.0.1:1543

spowpow12.hopto.org:5678

127.0.0.1:5678

127.0.0.1:54984

192.168.1.16:54984

ahmedt.duckdns.org:113

ghfsquad.duckdns.org:8192

ludwigh.duckdns.org:8192

jhonjhon4842.ddns.net:53896

jemoederspow.ddns.net:5678

192.168.0.129:54984

Mutex

8c89a093-5ac7-424e-8c76-2e80c157bade

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-10-14T14:42:04.641145036Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1543

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    8c89a093-5ac7-424e-8c76-2e80c157bade

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    uniformmm.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

0.7d

Botnet

Downloading

C2

console-wifi.ddns.net:5552

Mutex

3dfad3bbc7bad1562c683adfee1a8e48

Attributes
  • reg_key

    3dfad3bbc7bad1562c683adfee1a8e48

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

RECUP NOIP

C2

9292.ddns.net:10140

Mutex

1f0c56d11a4a44433acf4728c597fd66

Attributes
  • reg_key

    1f0c56d11a4a44433acf4728c597fd66

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

내따꽈리

C2

asdgdcvxzcv.kro.kr:2222

Mutex

651deda00b27ab86d974483926aa2300

Attributes
  • reg_key

    651deda00b27ab86d974483926aa2300

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

NEW

C2

sharrych.ddns.net:5556

Mutex

723520b640cb39476dbbd3d566c664da

Attributes
  • reg_key

    723520b640cb39476dbbd3d566c664da

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

clienta

C2

achraf4.ddns.net:4500

Mutex

59d56b3983b444c86e2da951d0302f3b

Attributes
  • reg_key

    59d56b3983b444c86e2da951d0302f3b

  • splitter

    |'|'|

Extracted

Family

warzonerat

C2

tresor2020.ddns.net:2020

178.238.8.111:2626

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:999

127.0.0.1:81

Mutex

0Y7117LDCV0730

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Extracted

Family

latentbot

C2

jokernet2019.zapto.org

Targets

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.foww-c4682163181637eb17e174cc795eba8b094f6d6c76a60b14cdfa38ae7471c768

    • Size

      347KB

    • MD5

      b2b351958075d91039a2e47203a3c9a0

    • SHA1

      c5965141602832439c8c59935c0bb0aed87ec642

    • SHA256

      c4682163181637eb17e174cc795eba8b094f6d6c76a60b14cdfa38ae7471c768

    • SHA512

      c8f64e29b1e056ac2d02638dd0e13b4fbaaa5dbd094a8b76c3610094e89869fbcae0335299615ccdf8b5c202a010873f3bc4cb7d64cefd6bd227623fcd767aca

    • SSDEEP

      3072:QnNL++0BS7cD00iKpyDcsvY8FhMYYCgxSoF7+H88uEThFcbW7yW2eNJKaozrdKwt:QNN0Y7E00iyhjv7+HoacbIz+kwA8

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-0737463d0ed8addd2c9adf17c3289e48ea012750b5f826da5b33da8408341e3c

    • Size

      203KB

    • MD5

      cc214d61ebb2b63d738e64cba831722e

    • SHA1

      0387a2073cab7fbd99cd9c9c951b9afa6ba1097c

    • SHA256

      0737463d0ed8addd2c9adf17c3289e48ea012750b5f826da5b33da8408341e3c

    • SHA512

      cdacc8971faceb69097b9a2053e059d061c65bad0c7e4141e8f0a6cadf740bd5537afc9f17e38be5e1eed60566b9fa6542dd1b3ead834ab16f23111060db684f

    • SSDEEP

      3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIm1b8Wd2H2hdHZVLdkj3:sLV6Bta6dtJmakIM5tfTzHTLaj3

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-86c8896067480a260f931692b6f2223d603415a0708e8d16cc5ead90f9b22ba3

    • Size

      362KB

    • MD5

      74db23e9489da1c4b4098c8b49faf65f

    • SHA1

      e7692bdbeafa8523ed14ef77f88037724ad34338

    • SHA256

      86c8896067480a260f931692b6f2223d603415a0708e8d16cc5ead90f9b22ba3

    • SHA512

      1f6b13769838bbfa7afddaaaa84295c40d81230e9e314bce26bb858be7baa25294fe6483b8f25d1092e3627cdb4c0642d121e94e49d925a78c3ee6ea4e1140f9

    • SSDEEP

      6144:3LV6Bta6dtJmakIM5tpr/jHrGS/UwJCgwXY7RURu0KX:3LV6BtpmkA/jHrGGyI1UU0I

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-aea3597f24009ec7a5212edf353080643e43839f2a5e6933c456c8d3aa147da5

    • Size

      202KB

    • MD5

      f969f3b867be178a9f285846e5346b4a

    • SHA1

      cac03cb1525f35607722559dfd44b734dddf5757

    • SHA256

      aea3597f24009ec7a5212edf353080643e43839f2a5e6933c456c8d3aa147da5

    • SHA512

      84b8483dd4161c9523679ed1493c2a3deb517f32a39ae41311b8cf486ee9d4e987b41194ac94fa2e382cda243d970a5bf0197580fce0dcaa12e947ccfa69695e

    • SSDEEP

      3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIUqE+3XxbDMXuWxbsxXykXbQ:wLV6Bta6dtJmakIM5sEMAt5sxXykU

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-b603ac369d000ccf2c33d13a62af4e02a41ee021ff787427505b83a86460c047

    • Size

      202KB

    • MD5

      b2e7af4f6bc15f26223a1a37b34be564

    • SHA1

      b1bf5eae3cfd17a2e1e39fe858e66e15a651492c

    • SHA256

      b603ac369d000ccf2c33d13a62af4e02a41ee021ff787427505b83a86460c047

    • SHA512

      6925d35098dbfe5e8d0f1aed036b1509f713478000715d177ef633d6d3ccfdbff9f31a648a1986fadf11f3bbb20d08cfe29b4b5c7e1a2ebab892a2653936dca7

    • SSDEEP

      6144:QLV6Bta6dtJmakIM5/jaSdHlHMLHLpnN59:QLV6Btpmk43FmHLpnN59

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-c4e48bc0716a6eafda6fc596fc5a38a201071d76551ebb14921c6b38adf8deba

    • Size

      202KB

    • MD5

      7e35860554ce9d267221e57d1f962fe2

    • SHA1

      0794fae039c53ddabe5b7f42fe15da0cebce4bf1

    • SHA256

      c4e48bc0716a6eafda6fc596fc5a38a201071d76551ebb14921c6b38adf8deba

    • SHA512

      48af17a3bf3875806d78b3d95b6cd319d3f5ffbff8ff829ca498729d107d83d5e89cc6e23043f260c56454a59bd6d256625187811a5803cbb4b2e45a33675af5

    • SSDEEP

      6144:gLV6Bta6dtJmakIM5kSxxV2Pvj3Y+w5A6w:gLV6BtpmkS2PvTUw

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-cc559587825877b40a955baeea22039cbc35813ee00e139fa6a3c90b7355283a

    • Size

      202KB

    • MD5

      09a63fe7e33c5772310f583654ba2ecf

    • SHA1

      799f92c2ee5b9922a159d2ca51428a294ce56288

    • SHA256

      cc559587825877b40a955baeea22039cbc35813ee00e139fa6a3c90b7355283a

    • SHA512

      483f486f9145c911b0c6333fcf8aa7fba29ed675970b0462abcdac710204cb8b7b5027dfc24ffb927ae44736b421fd492f38641331175a5ca18b575fee76d445

    • SSDEEP

      3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIUx0EhIW0DJsuNRBIEEgmzI6:gLV6Bta6dtJmakIM5gEIGuNR5Rh6

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-d44670b7dede4487ecc7d4a61f28a0462591fac8d303aa36b8b376001c79111d

    • Size

      203KB

    • MD5

      ca4570eb9ea8dad4939a10b9b44bbfc9

    • SHA1

      8df59eb7a108ae2207be3b25645baffb9163f38a

    • SHA256

      d44670b7dede4487ecc7d4a61f28a0462591fac8d303aa36b8b376001c79111d

    • SHA512

      9c1784c3e7a37b61f2b2c729a6241a8b9edd60770ac6fbcb19840e68fbe6e33123c3d6b36b676dc4ccba24715dd4e09e06bb652a6319622162abe1dd3c10b0d0

    • SSDEEP

      3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIv2TAbNuQjvg+g0+cNESOlsDCU:sLV6Bta6dtJmakIM56b0QkT0+uDO9GV

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-d8c2b06570a0c86994d2ddf5b0e98d69365d9541ff262a03f4c1271d2def4cff

    • Size

      361KB

    • MD5

      cba7ad7d13759195b2b1d206bc7ab693

    • SHA1

      feae81b1d82113f26e078c03ba1e9eddf2ea4984

    • SHA256

      d8c2b06570a0c86994d2ddf5b0e98d69365d9541ff262a03f4c1271d2def4cff

    • SHA512

      faa67ec24e6b7ef8e87e6bb3c9073ebb26d5b8521010d9bd7d0e32d06bbf683bfa393172c14c2cfe0d260d0a17ff3c9edd4f5c948d441902862b1ee021213fad

    • SSDEEP

      6144:vLV6Bta6dtJmakIM5PbakdrR008VkErBLQ6njxYxQCSJla:vLV6Btpmkybak9R0mKRaxhSS

    • Target

      bazaar.2020.02/Trojan.MSIL.Agent.fpar-e039762eca5db26ade1a4e3483916193ebbd335b5760c54a2b2243877f41ed73

    • Size

      202KB

    • MD5

      a64655bf61d66363efb4331000aa24d2

    • SHA1

      be79198f6ad392de1ee6252b8ec3b64e8f1923ef

    • SHA256

      e039762eca5db26ade1a4e3483916193ebbd335b5760c54a2b2243877f41ed73

    • SHA512

      bcd1d890212e48ff1692bc36e025cd90c90b8fc3f76fb18d8b56a797df535fc3df511a3d75dbee8ecfd509be01cc25dbb04b171674633945dae098b72c767595

    • SSDEEP

      3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIYzCbXfzANcJjmA/aKav8Sgd7f:wLV6Bta6dtJmakIM5Suo2oVu5Ezmmb1F

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-18c601f2c857a8fc639396cc131bde47b16c0bca95ea7f2ca78f7020adc77b8b

    • Size

      23KB

    • MD5

      fbcf24e9b288280176263603acbd3ec9

    • SHA1

      4baa33fab2e94a78a95004609e00afc500ae3997

    • SHA256

      18c601f2c857a8fc639396cc131bde47b16c0bca95ea7f2ca78f7020adc77b8b

    • SHA512

      c6e39ed16bdd31b376e8c908e444047145df75d7c0e0b56c5c0357eb4087ca651bef8d64b2a279e6ef7114c4e10ba59061321e54af29ed7394c70230a39592ca

    • SSDEEP

      384:8cqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZcZ+:b30py6vhxaRpcnuH+

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-2d373452dedac769b8f2ef99985f0c1fd21f4a5d45f45b9e301196da80223ec4

    • Size

      23KB

    • MD5

      84673a3ddd2ad4bf77244c35ef438782

    • SHA1

      3e0f4433e026ade25d9d4d64641c7b710aa6da58

    • SHA256

      2d373452dedac769b8f2ef99985f0c1fd21f4a5d45f45b9e301196da80223ec4

    • SHA512

      78bce3e252e75dba48da695548ea20b370083ff516864d11b8e624a4309c1e6cc751b49135f975cfbada6d7cecee4cfe00e95ff8db2046019e4e52bfeba5c1c9

    • SSDEEP

      384:6cqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZcZ2:930py6vhxaRpcnuH2

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-7eac3dab8df1f347802cbb863cb525b4c00e2b6d5488b409969967bb2baac695

    • Size

      23KB

    • MD5

      8780e4b57f1a4672aebdfdc2d31ff2cc

    • SHA1

      a3ddc9c9341482de7216443cf43f84836a004c55

    • SHA256

      7eac3dab8df1f347802cbb863cb525b4c00e2b6d5488b409969967bb2baac695

    • SHA512

      dcc088dedfa83b2afca302f8b85cf9ec0e5b553481e5eb06bdf565d8621bc79b050a56188b741fce5ef1fcf5ab249c7d79b0d087fbda98b1bb6bd91262752d44

    • SSDEEP

      384:FcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZAZX:G30py6vhxaRpcnuDX

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-afc68f8b78045786888471eb198cccacfff9fb5b6e39f7ca585222d60d52ff9d

    • Size

      23KB

    • MD5

      614e552afdb18fdf55f813adac872fc4

    • SHA1

      089bcaf256579edf04d5f1ed9ec6077df1724ba8

    • SHA256

      afc68f8b78045786888471eb198cccacfff9fb5b6e39f7ca585222d60d52ff9d

    • SHA512

      11dced8ca2b229b1e014c833b206fa089b6c273bb3946e74d132f98828e377cbde7788dfe48ca563cbae0ed160a7c1f686b180c344ac0a28cd20d23195be8828

    • SSDEEP

      384:Vdc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZpC6:VOIU0tw3Rpcnu6

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-c3e9e467dc54d54f8794d49cb9f5daf9aa7371121c7e5411eabc4061d7555094

    • Size

      23KB

    • MD5

      065a2ba9b4a0b5114419b00e4764fb92

    • SHA1

      c24f8597a1913f1e4a5043f49505e7a06bb67bfe

    • SHA256

      c3e9e467dc54d54f8794d49cb9f5daf9aa7371121c7e5411eabc4061d7555094

    • SHA512

      3730ff25b74a369cbd69b1c720ee866d4b0bcce225a6273f72f061f297e60a7631981cc9aa39533237a187978f48aaa404ccffbe0894062feb527ea46396f4b5

    • SSDEEP

      384:wdc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZpI:wOIU0tw3Rpcnuh

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-f489cba00e6d7bc606ea137f639ac40baca8871474066bec0a839fae75de4eaf

    • Size

      23KB

    • MD5

      9c691e60b7ffdaec80cb169114b784f2

    • SHA1

      1d7df5d95f0e4ff3c5825c4aed7d3838d0c02f1e

    • SHA256

      f489cba00e6d7bc606ea137f639ac40baca8871474066bec0a839fae75de4eaf

    • SHA512

      84b9f8c7de1107f95c3833d0e556bbdffeafc33da9346ccc66d080e05b16946e048f271d6a84649792d1847ffb805b0ab24402d25d4eca2a77e2f9e80bc67264

    • SSDEEP

      384:dcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZiC:O30py6vhxaRpcnuy

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bop-fe30c3e3acd5449124af4d0f78bd33a4e6a35d4240d9c7ad8dea1a1332e1312d

    • Size

      23KB

    • MD5

      8f45e7c4af6c9253d95d8bdf6fcbbbdd

    • SHA1

      cccdaf134382fba0e422da809a860a9b2b5e252c

    • SHA256

      fe30c3e3acd5449124af4d0f78bd33a4e6a35d4240d9c7ad8dea1a1332e1312d

    • SHA512

      877bff6a652d0c116884bddd15ab2fbc2784e372c53e6a0f6db84b1d3c6add0ff2c2b6064fada31cc43a7f8887bb06d8ee77ddf0072e9814e7daef58f4fc0696

    • SSDEEP

      384:sc68yCasVKDh3OQyNpsQ1im/VjJs+PyR46vg5J++p57nhmRvR6JZlbw8hqIusZzz:S873Kt+QesGN/VjZPQRpcnuG

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqd-a88edeb377205df24d69e4215b7d48f251231fdca07763cb498b9b0107629eca

    • Size

      23KB

    • MD5

      4c9d43b1e31e151789a1ac9d15fd994b

    • SHA1

      9b5dd2d92bbb37958e382abd780dc6c0d3c890d6

    • SHA256

      a88edeb377205df24d69e4215b7d48f251231fdca07763cb498b9b0107629eca

    • SHA512

      dc9c82917ff3a9d97b65e06bf4a9d6b7a66b92e6aeadfe6fad7fed48c999f1adb6c6f7a2b58aa1034dddbee30e0d308ad78f1ecfa16b2eb78234e1484998a060

    • SSDEEP

      384:BYmCsg/yJrQ7hucGSl7UJx4g6JgfCcosjddmRvR6JZlbw8hqIusZzZ+1:WrG0Btl7rRpcnud

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqd-bb42676345c8aed263ed1e32c7ce22c5e6a9838a92c21d376e39356db0dbd940

    • Size

      23KB

    • MD5

      27725ba2001158dcad12407e7bd40e6f

    • SHA1

      0c9330a50afd2fcd69886631fc3828a0703b22e7

    • SHA256

      bb42676345c8aed263ed1e32c7ce22c5e6a9838a92c21d376e39356db0dbd940

    • SHA512

      e8f6112588f1ed24c39f07df9ff3bedcf7d2f5a991ed3752d0fa1fa886d02e2ab378a7cfdb5996bbb900d6b5881957398e510d775ddd16b9e949e3526435ffb0

    • SSDEEP

      384:cluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZOaP:LOmhtIiRpcnuB8

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqd-f710f839c4211f980cb6f2c2ba51e28eda20891810e5a57ac395bf467ff6fedf

    • Size

      23KB

    • MD5

      e1e660fdfba985128d7a1e78a4365082

    • SHA1

      4559a30780ffbe95282988c7710ae5dedd758d0d

    • SHA256

      f710f839c4211f980cb6f2c2ba51e28eda20891810e5a57ac395bf467ff6fedf

    • SHA512

      d2dd0a8812419e01e5b9bc34c2ad5fd848c347af3512d573bddf95aec87d80a9c5b5f991e6345a33d6f555d4582a8121d468fa2d5ddc6d41bf7d8c7bab242509

    • SSDEEP

      384:CzmicUDPiJUQrlRGSHCYlbY6ZgvSMBTtxmRvR6JZlbw8hqIusZzZWJ:OpD2btHxRpcnuh

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqd-fbfea1db4497202597c91cfda1d44136e85ca74fbf780baab2f1b1520c724cd8

    • Size

      23KB

    • MD5

      3ff1c9a4374b6796cdd642efab97169f

    • SHA1

      8a7f3f69324b3dceb8e1aecae2dbf6fbe9f65693

    • SHA256

      fbfea1db4497202597c91cfda1d44136e85ca74fbf780baab2f1b1520c724cd8

    • SHA512

      804aa71e6b883973e7978e39d2724784c978ab1c1ec741fa2544968273cabd771907321f5918408880a0f15b38f1db9080889f27d6830c0853da8b5098654874

    • SSDEEP

      384:iluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZqZY:1OmhtIiRpcnulY

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqg-931238083c5373a7b48f5d06916e4832af77af36a0b6569f9750511d509dc490

    • Size

      23KB

    • MD5

      810327e7c2cce69ceb39ba9632c6a8b6

    • SHA1

      f98c2d8cc31dac348838bdf29dc1c96cea8469e6

    • SHA256

      931238083c5373a7b48f5d06916e4832af77af36a0b6569f9750511d509dc490

    • SHA512

      9c364a05ca47ccaec29c76def8034913ee6eafa4ec704c7231d0ceeb546b4d46af934a5d79968bee551481c5d7e18b28a52069dc57cc46f1f93da5bbcd40e9d2

    • SSDEEP

      384:rweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZnK:MLq411eRpcnut

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqg-ae9ba2145b99bca3d87d444a47246a5bcd426993c74733faf4892d20e195d6b0

    • Size

      23KB

    • MD5

      5df583ec3d0da73461aa193c2aea4d23

    • SHA1

      1841a11cb50fa14470a98a469547ee9169df1caf

    • SHA256

      ae9ba2145b99bca3d87d444a47246a5bcd426993c74733faf4892d20e195d6b0

    • SHA512

      f8f7defd5348380905ab2e3906b671a46506eda7909514bf6b10a3c541b5f35e4e0d5c6563c82f972125b79d6f079218d1870d3880dcad0f4ec82a2a5cf505b6

    • SSDEEP

      384:nUn+E+NGW9JQFOp8AliM6vbS1puwJViz6RvlVUPVsWGsK5f9D:xGGKW6vbUpuY2cF

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqg-b3a4d7c4c5b4a03a8a11dc9f6bb313a4c6da0040f2e45a48dc76ebc3f12d7842

    • Size

      23KB

    • MD5

      19c553768fdae568484a2f94e8cc4853

    • SHA1

      994e146909e21f06fc8b10790ba4d731174b5467

    • SHA256

      b3a4d7c4c5b4a03a8a11dc9f6bb313a4c6da0040f2e45a48dc76ebc3f12d7842

    • SHA512

      214f78635c6cf20d102cd9a44891df7b9b86edfc166cb98d808e5b082ed8877bb0a69338202384d9b6d65aded388b3e656071f6479de03db72126d600c87c670

    • SSDEEP

      384:aweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZJV:FLq411eRpcnuo

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Latentbot family

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqh-0dfca39c7ebcca00525b6d29fb720a32396a12716322609498528bdcf91d8715

    • Size

      29KB

    • MD5

      7eeb03f03f522d069360a11605d8c36f

    • SHA1

      c822086cc3c0aeab9940880cccec95096d3fe5a4

    • SHA256

      0dfca39c7ebcca00525b6d29fb720a32396a12716322609498528bdcf91d8715

    • SHA512

      1d9d9d2915c2cc53840539bf71b4d200ed3744159dbdb56a85010f12600b891b34941fecdf455886c00a4b96ccbe1c903b3db7a8842a177ba1f99ac0db442b61

    • SSDEEP

      384:IYs5l7VL9skVQ42BkSv5dAsCGmqDm+jeI7GBsbh0w4wlAokw9OhgOL1vYRGOZzoZ:k7/skCXkQossqtje3BKh0p29SgRiv

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqh-6ec3febd674513a33ed7c68a64fd8b02b0436a96f79b69821faad1334025937d

    • Size

      29KB

    • MD5

      ca425da564d393935f4f6e65512a5c76

    • SHA1

      dad4a18898498edf5dc784f83f18681ef16bcc89

    • SHA256

      6ec3febd674513a33ed7c68a64fd8b02b0436a96f79b69821faad1334025937d

    • SHA512

      29daaa562474e052cebdda46e97cf31d52db1e74cb6ba0201dd46f9d2125a4fb0a2cc02db4ed206af7a0a603a5e26b8b9dc35b265815a20fcf0896884996324b

    • SSDEEP

      384:XFWjNl7XNRoWGVulRjr5dN2EGmqDm8Jek7GBsbh0w4wlAokw9OhgOL1vYRGOZzdO:XO7ToWGVKBV2KqrJebBKh0p29SgRf0

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqh-7b864591a77a15197d9f25ed3e625b50576ffc061f2849ac6fcc245d296b7357

    • Size

      29KB

    • MD5

      343f28d15f8853545992389029be1dca

    • SHA1

      961f81167a3666055e770322ddb6950d728dbfa3

    • SHA256

      7b864591a77a15197d9f25ed3e625b50576ffc061f2849ac6fcc245d296b7357

    • SHA512

      21c78cf94855d3689fa6e79a10fd17196eec45304ab78c3720a330d74ef86575528cbcfc5a117cebcc2a516eb48758294eba7fabeddf9738363963ba441c13ca

    • SSDEEP

      384:eos5l7l7EMrof6oyr/5NxrimmqDWD4IePUGBsbh0w4wlAokw9OhgOL1vYRGOZzmg:y7GMroynbprsq04IePBKh0p29SgRAM

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqo-8b635dcdeacc541a398e5862d13ea54004302b8c06b63a2db0ddc7c6528e804f

    • Size

      29KB

    • MD5

      459b4e64ad1d0dc32ca057b7ef0fd110

    • SHA1

      0e618bc238f50490089c30b86b32ac109b35e4fe

    • SHA256

      8b635dcdeacc541a398e5862d13ea54004302b8c06b63a2db0ddc7c6528e804f

    • SHA512

      afc24d488456dcba898b588cb1515cd3db88b2640ec4b69969cc2d36683cf89da5aec70defb7babfbca2f060e1f07ab8d91c6ab020a29b7368a5b8d62b1300b7

    • SSDEEP

      384:KhQXpl7dzns8oDw/LRP55/4GWmqDSeXegLGBsbh0w4wlAokw9OhgOL1vYRGOZzp9:KE7Js8oDSJz4wqZXenBKh0p29SgRjb

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bazaar.2020.02/Trojan.MSIL.Disfa.bqo-971e4b2879189d8d1f19a1d5874dd6f571651aa02ed7cf7d97f2c0b43fa6b6c2

    • Size

      29KB

    • MD5

      95ec08b6d26a1b841217cc2c6dd3d887

    • SHA1

      b5b5eea75d75f8be72bef1a9d41a19e87609f473

    • SHA256

      971e4b2879189d8d1f19a1d5874dd6f571651aa02ed7cf7d97f2c0b43fa6b6c2

    • SHA512

      e3adff6e1739a739b6d74e09bf5a425c940a6d0d383a18d4c553a1800deee4d081b9da8d8cbe822d87f065096909c31efb277c9e3b6dd2d2fccd8fa50288b403

    • SSDEEP

      384:YQXpl7dzns8oDw/L1Z5X9e0WmqDwgRrVe8FGBsbh0w4wlAokw9OhgOL1vYRGOZzI:h7Js8oDSD3eqqFRRetBKh0p29SgRF2

    • Target

      bazaar.2020.02/Trojan.Win32.Agentb.jiad-1e0cc4051f5ea6cb75b0df551bc5be60abc54ca51cd1611dc760aa245a0055dd

    • Size

      98KB

    • MD5

      f6c0f66dddb1c6e83a62c3a17b5e98b6

    • SHA1

      00bbd7b66698ebc534bfcb42e65b8b30816458bd

    • SHA256

      1e0cc4051f5ea6cb75b0df551bc5be60abc54ca51cd1611dc760aa245a0055dd

    • SHA512

      84ed45502c8494bb75ffcb2b5a2dde5041201e924e3085313cc5d29e5e59a95ab7f1cf62fe8e24e450430151dd6ff401902df45dc193f389fba420ee683ac146

    • SSDEEP

      1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG

    • Target

      bazaar.2020.02/Trojan.Win32.Agentb.jiad-8aa2c9406939c8c158483b7607b68846a87b1ee8fba9301d11aa812429516db5

    • Size

      101KB

    • MD5

      ea5d06cb02ebd6a84532a1759a0864ec

    • SHA1

      02c44a87f4bf084dd8971b4a25e7b5babeacdfa6

    • SHA256

      8aa2c9406939c8c158483b7607b68846a87b1ee8fba9301d11aa812429516db5

    • SHA512

      629215ef0cac6abd40c46cf0cf2e87e80c0c0e7810d39d7a9630528622b388bd9e3e8979bfeba98ec8d53f3aee1cdb99505e591a12d8f7967bb33f6ddbbe2ea9

    • SSDEEP

      1536:FbYoyaC/lwKYGNhs3x09kX/t+Fy6sSxVE0eCK:XyaoG8L9kv47xVE09K

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Target

      bazaar.2020.02/Trojan.Win32.Bublik.elhu-3ba8a562f78af7776675f128f12777144fc3c73a471d8efb1950728179bb72d9

    • Size

      296KB

    • MD5

      eec35e47a24f274bd04386f1bdabdffe

    • SHA1

      2e7af6983e83ab9479d2c9b245ac2f16683a9dc3

    • SHA256

      3ba8a562f78af7776675f128f12777144fc3c73a471d8efb1950728179bb72d9

    • SHA512

      3b3c397a5241cd4ead21db9ccd617e9d8f5b8b4229e9f38e23515bf323b80ad8d42d730d8913c24e7453bdd2c39ea830bf29426ceeaa9652c76fbaa86202c2ce

    • SSDEEP

      6144:POpslFlqWhdBCkWYxuukP1pjSKSNVkq/MVJbr:PwslrTBd47GLRMTbr

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

low3nhackedratnullupxmikel_04mikel50infectedstealerguestlimerevengeb hatnyan cattest bypass cho down loadvn333hostvisual studiomybotyourphonerequired installationperson_anonymoushacked by hidden personhacked by killerclienttestbustabithacked pubghhhxxx마인크래프트hacked kulum pubg mobile pinatanaidemepersongariban2020/34234234sad nigga hourslimetopherrobyvictimenyancatrevenger a dsystemytoffice04kurbanforce onenewcoderpsforce one pc masterdownloadingrecup noip내따꽈리clientaremotenjratasyncratdarkcometquasarrevengeratsodinokibilimeratremcosnanocorewarzoneratcybergate
Score
10/10

behavioral1

quasaroffice04discoveryspywaretrojan
Score
10/10

behavioral2

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral3

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral6

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral7

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral8

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral9

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral10

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral11

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral12

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral13

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral14

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral15

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral17

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral18

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral19

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral20

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral21

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral22

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral23

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral24

latentbotnjratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral25

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral26

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral27

njratclientadefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral28

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral29

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral30

warzoneratdiscoveryinfostealerrat
Score
10/10

behavioral31

warzoneratdiscoveryexecutioninfostealerrat
Score
10/10

behavioral32

cybergateremotediscoverypersistencestealertrojanupx
Score
10/10