General

  • Target

    ee0385983682322efe022225fb874aca.exe

  • Size

    37KB

  • Sample

    211030-ya81lscaen

  • MD5

    ee0385983682322efe022225fb874aca

  • SHA1

    e234165631472c98a62107356a2b55a8e9f8b5a1

  • SHA256

    5fa5bb5bf065b701ecbbbd704e302ca70eff2912cee39fd86f2b732372eb44f3

  • SHA512

    b72cf0802d84874b1a8101793694a25051ef8460383d73a02552fe4e945517f7c40b7654fcc7b864985bd49d3b1a5e33792625c6483e7e3be6dfe9b909a424c9

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

4.tcp.ngrok.io:12516

Mutex

004af031f7d2d163aaa3cb0e51c1f6fe

Attributes
  • reg_key

    004af031f7d2d163aaa3cb0e51c1f6fe

  • splitter

    |'|'|

Targets

    • Target

      ee0385983682322efe022225fb874aca.exe

    • Size

      37KB

    • MD5

      ee0385983682322efe022225fb874aca

    • SHA1

      e234165631472c98a62107356a2b55a8e9f8b5a1

    • SHA256

      5fa5bb5bf065b701ecbbbd704e302ca70eff2912cee39fd86f2b732372eb44f3

    • SHA512

      b72cf0802d84874b1a8101793694a25051ef8460383d73a02552fe4e945517f7c40b7654fcc7b864985bd49d3b1a5e33792625c6483e7e3be6dfe9b909a424c9

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks