General

  • Target

    DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe

  • Size

    91KB

  • Sample

    210916-v9en9sggak

  • MD5

    6b5bc3eba86c9efbdf993773af3f593e

  • SHA1

    0fd0f10d34c28a928e69343caeeed7803646be8f

  • SHA256

    dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

  • SHA512

    cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

HacKed

C2

anunankis1.duckdns.org,anunankis3.duckdns.org,karmina112.sytes.net,karmina114.sytes.net,burdun.dynu.net,burdun114.dynu.net:1177

Mutex

8746d62c81bb0c573a0a1086f9955c7b

Attributes
  • reg_key

    8746d62c81bb0c573a0a1086f9955c7b

  • splitter

    |'|'|

Targets

    • Target

      DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe

    • Size

      91KB

    • MD5

      6b5bc3eba86c9efbdf993773af3f593e

    • SHA1

      0fd0f10d34c28a928e69343caeeed7803646be8f

    • SHA256

      dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

    • SHA512

      cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks