General

  • Target

    34ArXmP6.exe

  • Size

    23KB

  • Sample

    210102-jy2yza9f66

  • MD5

    79f4a193c1a13bcff525744920f0a656

  • SHA1

    c358ef3c3446c5827b19f27d9beaf7b47ea85b3e

  • SHA256

    735aba62493a92f1b5a807a29259f7327977ed35587c477f25024954f347ddb3

  • SHA512

    7b3290692ce03a4050a39cf6ebf840a83f271d3a51b9ee5b56d0a3ee1db021c77cfebd56381db732fc1a979bf6796e621df25daa8b7aff49d9c3cb411c709aff

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

xoruf.ddns.net:5552

Mutex

70d07bb54d53fe450ad16e5aacbe54a8

Attributes
  • reg_key

    70d07bb54d53fe450ad16e5aacbe54a8

  • splitter

    @!#&^%$

Targets

    • Target

      34ArXmP6.exe

    • Size

      23KB

    • MD5

      79f4a193c1a13bcff525744920f0a656

    • SHA1

      c358ef3c3446c5827b19f27d9beaf7b47ea85b3e

    • SHA256

      735aba62493a92f1b5a807a29259f7327977ed35587c477f25024954f347ddb3

    • SHA512

      7b3290692ce03a4050a39cf6ebf840a83f271d3a51b9ee5b56d0a3ee1db021c77cfebd56381db732fc1a979bf6796e621df25daa8b7aff49d9c3cb411c709aff

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks