Statik Analiz — NjRAT | ALTO | CVSS: 7.5
Arquivo
| SHA256 | d2aa40cc53b40c6e76ac0677c4a54387b3f27ee94c85d9b2c3a3d66aeef92a66 |
|---|---|
| MD5 | f0cfe3559bf988d4477a6ac2bcc6c025 |
| Arquivo | d2aa40cc53b40c6e76ac0677c4a54387b3f27ee94c85d9b2c3a3d66aeef92a66.exe |
| Tamanho | 8,871,984 byte |
| Tipo | PE32 executable for MS Windows 6.00 (GUI), Intel i386, 12 sections |
| Stringler | 52,388 |
Bölümler
| Ad | Entropi |
|---|---|
.text | 6.49 |
.itext | 5.8 |
.data | 5.23 |
.bss | 0.0 |
.idata | 4.87 |
.didata | 3.29 |
.edata | 1.34 |
.tls | 0.0 |
.rdata | 1.38 |
.reloc | 6.72 |
.rsrc | 6.64 |
.debug | 5.23 |
Import Tablosu
kernel32.dlluser32.dlloleaut32.dlladvapi32.dll
IOC
| SHA256 | d2aa40cc53b40c6e76ac0677c4a54387b3f27ee94c85d9b2c3a3d66aeef92a66 |
|---|---|
| MD5 | f0cfe3559bf988d4477a6ac2bcc6c025 |
| IP | 4.0.0.0, 2.12.2.0, 2.3.4.5, 17.0.0.0, 14.0.0.0 |
| Domain | github.com, comodoca.com, system.io, gsystem.net, system.net, sectigo.com, microsoft.com, usertrust.com |
| BTC | 1c1d1e1f1g1h1j1k1m1o1q1s1u1w1y1, 3B3C3E3F3G3L3M3P3Q3R3S3U3V3X3Y3 |
| Mutex | TConditionVariableMutex, ReleaseMutex |
| C2 | github.com, comodoca.com, system.io, gsystem.net, system.net |
NjRAT — Perfil do malware
njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.
Tipo de malware
RAT
Linguagem de programação
VB.NET
Protocolo C2
TCP (varsayilan port 1177)
Sistemas-alvo
Windows
Também conhecido como (AKA)
Bladabindi, H-Worm, houdini
Detalhes técnicos
TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera
Atribuição / Ator da ameaça
Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.
Capacidades e comportamento
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
Lista IOC (17 indicadores)
IOC — NjRAT
#
1c1d1e1f1g1h1j1k1m1o1q1s1u1w1y1
#
3B3C3E3F3G3L3M3P3Q3R3S3U3V3X3Y3
# IP
4.0.0.0
# IP
2.12.2.0
# IP
2.3.4.5
# IP
17.0.0.0
# IP
14.0.0.0
# DOMAIN
github.com
# DOMAIN
comodoca.com
# DOMAIN
system.io
# DOMAIN
gsystem.net
# DOMAIN
system.net
# DOMAIN
sectigo.com
# DOMAIN
microsoft.com
# DOMAIN
usertrust.com
# MUTEX
TConditionVariableMutex
# MUTEX
ReleaseMutex
| Tipo | Valor | Nota |
|---|---|---|
| 1c1d1e1f1g1h1j1k1m1o1q1s1u1w1y1 | BTC | |
| 3B3C3E3F3G3L3M3P3Q3R3S3U3V3X3Y3 | BTC | |
| ip | 4.0.0.0 | C2 aday |
| ip | 2.12.2.0 | C2 aday |
| ip | 2.3.4.5 | C2 aday |
| ip | 17.0.0.0 | C2 aday |
| ip | 14.0.0.0 | C2 aday |
| domain | github.com | C2 domain |
| domain | comodoca.com | C2 domain |
| domain | system.io | C2 domain |
| domain | gsystem.net | C2 domain |
| domain | system.net | C2 domain |
| domain | sectigo.com | C2 domain |
| domain | microsoft.com | C2 domain |
| domain | usertrust.com | C2 domain |
| mutex | TConditionVariableMutex | Mutex |
| mutex | ReleaseMutex | Mutex |
Servidores C2 (8 servidores registrados para esta família)
| Endereço | Tipo | Porta | Protocolo | Status | País |
|---|---|---|---|---|---|
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| comodoca.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| comodoca.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
Os endereços C2 são fornecidos apenas a partir de amostras de malware verificadas manualmente pela equipe KEYDAL. O uso comercial é proibido.