General

  • Target

    F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe

  • Size

    37KB

  • Sample

    210912-wmvmmsfecp

  • MD5

    32553936e98e9f13c1f32d467077fd38

  • SHA1

    15e613343b191b07dd5deb44bbf732b8d9146cb4

  • SHA256

    f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db

  • SHA512

    db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.ngrok.io:13564

Mutex

5e872b01dd468d43dc0ebbdd5345346e

Attributes
  • reg_key

    5e872b01dd468d43dc0ebbdd5345346e

  • splitter

    |'|'|

Targets

    • Target

      F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe

    • Size

      37KB

    • MD5

      32553936e98e9f13c1f32d467077fd38

    • SHA1

      15e613343b191b07dd5deb44bbf732b8d9146cb4

    • SHA256

      f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db

    • SHA512

      db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks