General

  • Target

    099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be

  • Size

    5.1MB

  • Sample

    210513-1hzkh3938a

  • MD5

    455221845bfa315bccfe26dbf2148284

  • SHA1

    a0ceaa693c0b59d7d29b306ef95c7e362b1e5d3c

  • SHA256

    099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be

  • SHA512

    a3d37f5703ea0ef9f21cec193de1ef980202932e1fc0e6f4f0ed1623fd002ebaf1a3acacd058919c84c7234c99e77992ee84e898b97d277d3a8e9449b436a175

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cuidadonoip

C2

redlan1.hopto.org:5553

Mutex

ae9e817436635b16f6ddc3bfed8800fb

Attributes
  • reg_key

    ae9e817436635b16f6ddc3bfed8800fb

  • splitter

    |'|'|

Targets

    • Target

      099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be

    • Size

      5.1MB

    • MD5

      455221845bfa315bccfe26dbf2148284

    • SHA1

      a0ceaa693c0b59d7d29b306ef95c7e362b1e5d3c

    • SHA256

      099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be

    • SHA512

      a3d37f5703ea0ef9f21cec193de1ef980202932e1fc0e6f4f0ed1623fd002ebaf1a3acacd058919c84c7234c99e77992ee84e898b97d277d3a8e9449b436a175

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

System Information Discovery

1
T1082

Tasks