General

  • Target

    97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1

  • Size

    220KB

  • Sample

    210903-k6rvbachc7

  • MD5

    ea9bf7fd66e692a233b8252c9c64a879

  • SHA1

    06f8c1cab06d866b3ed0522b380bf08e866b9f74

  • SHA256

    97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1

  • SHA512

    f4c6d42c6b5b5c429bd5fc36a452ac10a88801f6ff9971b260d9d6256dfdbe2fd40442d2b39dbd8f7a708a7202cfa49d6da1900de23d3b7a094b041da4806437

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hello

C2

configpaid.hopto.org:1177

Mutex

2918d83a8048748f66be3a548e28d02b

Attributes
  • reg_key

    2918d83a8048748f66be3a548e28d02b

  • splitter

    |'|'|

Targets

    • Target

      97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1

    • Size

      220KB

    • MD5

      ea9bf7fd66e692a233b8252c9c64a879

    • SHA1

      06f8c1cab06d866b3ed0522b380bf08e866b9f74

    • SHA256

      97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1

    • SHA512

      f4c6d42c6b5b5c429bd5fc36a452ac10a88801f6ff9971b260d9d6256dfdbe2fd40442d2b39dbd8f7a708a7202cfa49d6da1900de23d3b7a094b041da4806437

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks