General
-
Target
461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
-
Size
57.6MB
-
Sample
250206-g6tr5avrct
-
MD5
0956d30facdbb958dabe6d13e751976f
-
SHA1
80cd8d27d451f221c58541a68566d49463d97aeb
-
SHA256
461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c
-
SHA512
c0457356da8ea38a4b7445b79e8d7bd95b76fbdfd6707b84df2bd0f8cf62f65316b7bc6c34c4c2044f35a7cb6bf937c9efcb73760581e5514e6cb1776f17a463
-
SSDEEP
1572864:Lf3VbWblqQ2LTbGk2kR0zvpspjSG/kt7Rb2n6CL0d:r3VLHbGkjRM+SGx6Uo
Malware Config
Extracted
njrat
0.7d
HacKed
postpix.shop:1177
aa63d8c3a8435a58d0b9f32e46b3a601
-
reg_key
aa63d8c3a8435a58d0b9f32e46b3a601
-
splitter
|'|'|
Targets
-
-
Target
461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
-
Size
57.6MB
-
MD5
0956d30facdbb958dabe6d13e751976f
-
SHA1
80cd8d27d451f221c58541a68566d49463d97aeb
-
SHA256
461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c
-
SHA512
c0457356da8ea38a4b7445b79e8d7bd95b76fbdfd6707b84df2bd0f8cf62f65316b7bc6c34c4c2044f35a7cb6bf937c9efcb73760581e5514e6cb1776f17a463
-
SSDEEP
1572864:Lf3VbWblqQ2LTbGk2kR0zvpspjSG/kt7Rb2n6CL0d:r3VLHbGkjRM+SGx6Uo
Score10/10-
Njrat family
-
Xmrig family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Legitimate hosting services abused for malware hosting/C2
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1