General

  • Target

    2AD561E9BB9F780F56D5E7A280574432.exe

  • Size

    375KB

  • Sample

    210813-a2p51fw96x

  • MD5

    2ad561e9bb9f780f56d5e7a280574432

  • SHA1

    e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

  • SHA256

    54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

  • SHA512

    8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

212.192.241.42:5552

Mutex

34adf4afddd35097c6bf7951c5baad3a

Attributes
  • reg_key

    34adf4afddd35097c6bf7951c5baad3a

  • splitter

    |'|'|

Targets

    • Target

      2AD561E9BB9F780F56D5E7A280574432.exe

    • Size

      375KB

    • MD5

      2ad561e9bb9f780f56d5e7a280574432

    • SHA1

      e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

    • SHA256

      54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

    • SHA512

      8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

    • Modifies WinLogon for persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks