General

  • Target

    0afee0e91bf19efe819afbfc750dc29208543610fb9a7dd4471158455777a967

  • Size

    184KB

  • Sample

    220121-2smf4scbap

  • MD5

    05d37e0bbd880a1b39418a8328148e73

  • SHA1

    f9b1db221bc531abbf22124307f443460ce5eec9

  • SHA256

    0afee0e91bf19efe819afbfc750dc29208543610fb9a7dd4471158455777a967

  • SHA512

    2e6971fa81232555dec7ce4fde4e06181f3f5ed9ae863ff5860dd23bd0a17185a1ae176ed282c752ff57b1ee0826baeb5ee75222d893fe78feeaf5b3666a7c58

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

TULUA VALLE

C2

tuluavalle3.duckdns.org:1990

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    1990

Targets

    • Target

      0afee0e91bf19efe819afbfc750dc29208543610fb9a7dd4471158455777a967

    • Size

      184KB

    • MD5

      05d37e0bbd880a1b39418a8328148e73

    • SHA1

      f9b1db221bc531abbf22124307f443460ce5eec9

    • SHA256

      0afee0e91bf19efe819afbfc750dc29208543610fb9a7dd4471158455777a967

    • SHA512

      2e6971fa81232555dec7ce4fde4e06181f3f5ed9ae863ff5860dd23bd0a17185a1ae176ed282c752ff57b1ee0826baeb5ee75222d893fe78feeaf5b3666a7c58

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks