General

  • Target

    Twitter Hacking Tool.exe

  • Size

    5.4MB

  • Sample

    211111-22txjsccf4

  • MD5

    c17a1a08f40029c5134c7dfee8855c62

  • SHA1

    aeddeda74af8d0645090be751a8f1a9a389a7fa9

  • SHA256

    6d03ac7f036581531299dec4e1dd380bf19e17b88dcf43dcc5a6eae62ab87a6c

  • SHA512

    b27076e68926b751c3496eb7fb029a0840ca9d630d1b27c6f329cbad789b0c89d2c5453ff519ef165d9cf99a0f2e57905fe08d290084f9d10559d58090bc57d3

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

white monkey

C2

127.0.0.1:1177

Mutex

56af94ecf1deb5aa0dab576ea890f3e9

Attributes
  • reg_key

    56af94ecf1deb5aa0dab576ea890f3e9

  • splitter

    |'|'|

Targets

    • Target

      Twitter Hacking Tool.exe

    • Size

      5.4MB

    • MD5

      c17a1a08f40029c5134c7dfee8855c62

    • SHA1

      aeddeda74af8d0645090be751a8f1a9a389a7fa9

    • SHA256

      6d03ac7f036581531299dec4e1dd380bf19e17b88dcf43dcc5a6eae62ab87a6c

    • SHA512

      b27076e68926b751c3496eb7fb029a0840ca9d630d1b27c6f329cbad789b0c89d2c5453ff519ef165d9cf99a0f2e57905fe08d290084f9d10559d58090bc57d3

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

1
T1082

Tasks