General

  • Target

    700c7757b81e5e615b8cab09008c08f6.exe

  • Size

    37KB

  • Sample

    211107-1m7dnagccj

  • MD5

    700c7757b81e5e615b8cab09008c08f6

  • SHA1

    5e15027312cacc8c390659ca7cfc7d2f49c12b19

  • SHA256

    99965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25

  • SHA512

    756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

svchost.exe

C2

6.tcp.ngrok.io:19025

Mutex

26aadf41889f3fdf4dc721be5700b93a

Attributes
  • reg_key

    26aadf41889f3fdf4dc721be5700b93a

  • splitter

    |'|'|

Targets

    • Target

      700c7757b81e5e615b8cab09008c08f6.exe

    • Size

      37KB

    • MD5

      700c7757b81e5e615b8cab09008c08f6

    • SHA1

      5e15027312cacc8c390659ca7cfc7d2f49c12b19

    • SHA256

      99965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25

    • SHA512

      756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks