General

  • Target

    2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c

  • Size

    662KB

  • Sample

    211118-bhgj1aedg3

  • MD5

    51b5e9e7d1d63c1acd6df20dda31004a

  • SHA1

    2a935b93c9135bb4d0d849c8219c453075bcdf47

  • SHA256

    2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c

  • SHA512

    f91f54e994b898e96743ece7f61613301d78e398361d10bbd25c0b59e59bd75fe6a438adc8ce4ce20031fa2202d4c7a5239bbbf105aba8619b43717950b6a202

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

107.155.132.152:5552

Mutex

2b9f14c7f031fd1035abf9fa94c773ba

Attributes
  • reg_key

    2b9f14c7f031fd1035abf9fa94c773ba

  • splitter

    |'|'|

Targets

    • Target

      2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c

    • Size

      662KB

    • MD5

      51b5e9e7d1d63c1acd6df20dda31004a

    • SHA1

      2a935b93c9135bb4d0d849c8219c453075bcdf47

    • SHA256

      2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c

    • SHA512

      f91f54e994b898e96743ece7f61613301d78e398361d10bbd25c0b59e59bd75fe6a438adc8ce4ce20031fa2202d4c7a5239bbbf105aba8619b43717950b6a202

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks