Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

  • Size

    1.7MB

  • Sample

    240701-fp7f8azgqk

  • MD5

    b7ca45674c6b8a24a6a71315e0e51397

  • SHA1

    79516b1bd2227f08ff333b950dafb29707916828

  • SHA256

    63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

  • SHA512

    f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

  • SSDEEP

    24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P

Score
10/10
asyncratnjratstormkittydefaulthackedevasionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

194.26.192.92:5552

Mutex

3c34302470a14b537cf05fcc9ade517d

Attributes
  • reg_key

    3c34302470a14b537cf05fcc9ade517d

  • splitter

    |'|'|

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7095863454:AAFGhBQqJXY7rFzi0CT99qZPVRwQpKI6R1A/sendMessage?chat_id=7257613869
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

    • Size

      1.7MB

    • MD5

      b7ca45674c6b8a24a6a71315e0e51397

    • SHA1

      79516b1bd2227f08ff333b950dafb29707916828

    • SHA256

      63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

    • SHA512

      f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

    • SSDEEP

      24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P

    Score
    10/10
    asyncratnjratstormkittydefaulthackedevasionpersistenceprivilege_escalationratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks