Derin Statik Analiz — NjRAT | Tehdit: high

Fichier Kimliği

SHA256c559ae3589ef6275ab17974827435d17215a4f81b35da976a98299021addcc93
MD5440b4ef096504461be38b21b0ec74e57
SHA1cfdfcd1585e07575cb76e591f9f3b8e87ff2c189
Nom du fichier440b4ef096504461be38b21b0ec74e57.exe
Taille32256 byte
Type/opt/ksentinel/samples/c559ae3589ef6275_440b4ef096504461be38b21b0: PE32 executable (GUI) Intel 80386
Date de compilationInconnu
PackerUPX

C2 Sunucuları / Dropper Domainleri

AdresTipDurum
System.IODomainactive
System.NetDomainactive

Tespit Edilen IOC'lar

ValeurTip
System.IODomain
System.NetDomain

Yetenekler

Geliştirici İpuçları

Geliştirici ipucu bulunamadı.

PE Analizi

PE Confiancelik Taraması

file entropy:                    5.616289 (normal)
fpu anti-disassembly:            no
imagebase:                       normal
entrypoint:                      normal
DOS stub:                        normal
TLS directory:                   not found
timestamp:                       normal
section co

Import Tablosu (özet)

Imported functions
    Library
        Name:                            mscoree.dll
        Functions
            Function
                Hint:                            0
                Name:                            _CorExeMain

Famille Tespiti — String Kanıtı

String kanıtı bulunamadı (obfuscated).

NjRAT — Profil du malware

njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.

Type de malware
RAT
Langage de programmation
VB.NET
Protocole C2
TCP (varsayilan port 1177)
Systèmes ciblés
Windows
Aussi connu sous (AKA)
Bladabindi, H-Worm, houdini

Détails techniques

TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera

Attribution / Acteur de la menace

Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.

Capacités et comportement

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Liste IOC (5 indicateurs)

IOC — NjRAT
# cfdfcd1585e07575cb76e591f9f3b8e87ff2c189 # SHA256 c559ae3589ef6275ab17974827435d17215a4f81b35da976a98299021addcc93 # MD5 440b4ef096504461be38b21b0ec74e57 # DOMAIN System.IO # DOMAIN System.Net
TypeValeurNote
cfdfcd1585e07575cb76e591f9f3b8e87ff2c189
sha256 c559ae3589ef6275ab17974827435d17215a4f81b35da976a98299021addcc93
md5 440b4ef096504461be38b21b0ec74e57
domain System.IO
domain System.Net

Serveurs C2 (8 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
comodoca.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
comodoca.com domain — TCP active —
microsoft.com domain — TCP active —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
njratstatik-analizhighc2iocpe-analiz