461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

General
Target

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

Size

3MB

Sample

210924-gsmrnagab4

Score
10 /10
MD5

8a060daac1e73524a227875e5da6eb3d

SHA1

9cd8730422dc2553e028828feb370341da702061

SHA256

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

SHA512

9fee328d96c2c2df6bd9a37c835dd7272215f0952479d56f09d0371375bc758388c96a598319e6e11a3673e270738794177ef0ca9b8b817274b3d5d65eab0d87

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet HacKed
C2

lightcf.ddns.net:1177

Attributes
reg_key
f20acdfb6b0a6c02ffcee135dec9d57c
splitter
|'|'|
Targets
Target

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

MD5

8a060daac1e73524a227875e5da6eb3d

Filesize

3MB

Score
10 /10
SHA1

9cd8730422dc2553e028828feb370341da702061

SHA256

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

SHA512

9fee328d96c2c2df6bd9a37c835dd7272215f0952479d56f09d0371375bc758388c96a598319e6e11a3673e270738794177ef0ca9b8b817274b3d5d65eab0d87

Tags

Signatures

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Identifies Wine through registry keys

    Description

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    5/10