General

  • Target

    4e7678bfa4bd0656d406b6452f501cb54fcc6ddc7c9debde66fda39415c2222f

  • Size

    233KB

  • Sample

    210914-hcydwsfba2

  • MD5

    0e9bbf130c496a3ab72cd769e8cd539a

  • SHA1

    a403efd98438432f1beaab845f45b6aa0f1e4d98

  • SHA256

    4e7678bfa4bd0656d406b6452f501cb54fcc6ddc7c9debde66fda39415c2222f

  • SHA512

    5fa6d5ffe5b22104e522041e31d006b78313b9534512030b30698c87ef3bfbe898339bdd7c3a5c02111a7fa919f678c0bb2e87991ff684f5c50633ab08128cce

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

tradingrecovery.duckdns.org:1177

Mutex

dbbf1042b66c5304a783d4eff25120c4

Attributes
  • reg_key

    dbbf1042b66c5304a783d4eff25120c4

  • splitter

    |'|'|

Targets

    • Target

      4e7678bfa4bd0656d406b6452f501cb54fcc6ddc7c9debde66fda39415c2222f

    • Size

      233KB

    • MD5

      0e9bbf130c496a3ab72cd769e8cd539a

    • SHA1

      a403efd98438432f1beaab845f45b6aa0f1e4d98

    • SHA256

      4e7678bfa4bd0656d406b6452f501cb54fcc6ddc7c9debde66fda39415c2222f

    • SHA512

      5fa6d5ffe5b22104e522041e31d006b78313b9534512030b30698c87ef3bfbe898339bdd7c3a5c02111a7fa919f678c0bb2e87991ff684f5c50633ab08128cce

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks