General

  • Target

    20f6117d283429b37fe69bac1c359ae2

  • Size

    483KB

  • Sample

    201214-zhayr4gvy2

  • MD5

    20f6117d283429b37fe69bac1c359ae2

  • SHA1

    b7da29f00ccbc21afcdee37e555881bbeafc8dd3

  • SHA256

    0c8e9450e4da34f82d2c7dc00dc2969fd1557fd074ba1ba5e743cfeebd010634

  • SHA512

    f989093dcc5c5bad8bd4d6224d5153170f1f3be5f563c79ef0bdf4684abc4174a2d4c47b6f81eceb931cbb1077a35f0948a45bd09605430778e0f05c7b9d2db6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victima

C2

ctaenl.hopto.org:5552

Mutex

a051d95b93b260b31c1eaef96aa2d0fa

Attributes
  • reg_key

    a051d95b93b260b31c1eaef96aa2d0fa

  • splitter

    |'|'|

Targets

    • Target

      20f6117d283429b37fe69bac1c359ae2

    • Size

      483KB

    • MD5

      20f6117d283429b37fe69bac1c359ae2

    • SHA1

      b7da29f00ccbc21afcdee37e555881bbeafc8dd3

    • SHA256

      0c8e9450e4da34f82d2c7dc00dc2969fd1557fd074ba1ba5e743cfeebd010634

    • SHA512

      f989093dcc5c5bad8bd4d6224d5153170f1f3be5f563c79ef0bdf4684abc4174a2d4c47b6f81eceb931cbb1077a35f0948a45bd09605430778e0f05c7b9d2db6

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Scripting

1
T1064

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks