General
-
Target
4970911667748864.zip
-
Size
8KB
-
Sample
220125-1bgc4affa3
-
MD5
f9a12c701128e64f5fb54d302b4a194a
-
SHA1
5a294738fc587fd6210180a88a6854827e8a4e9d
-
SHA256
856e1c3396dca23a3acd980b01a233faf7c785a829f6f573744939da863a38eb
-
SHA512
71bef92954a026f328fc82b2093f98cb33f937ba5e9bd471328b2c7ef35bd6bf9c4d91204c0529e11e7ba392370c5c5da5373344f115a82a6d3fa54ee17b8cd6
Malware Config
Extracted
http://www.j.mp/ahsdiahwidaiuwd
Extracted
njrat
v2.0
CPA
mobibanewdan.duckdns.org:2525
Windows
-
reg_key
Windows
-
splitter
|-F-|
Targets
-
-
Target
2bae03ea91a0d39390de51793348ed98404f5fe3bb11f8f340151657a1a3f669
-
Size
9KB
-
MD5
05fe4d5d400cc4d2a51542351f8c960c
-
SHA1
87d158c376769994cf98402edb9f3b7f0739f8c5
-
SHA256
2bae03ea91a0d39390de51793348ed98404f5fe3bb11f8f340151657a1a3f669
-
SHA512
94374d60e2bbc096cb47472960d1bf205dd86789dbc892e6268135302e74c3b95bcda7bb21b5d84548b90cc1f9fe5cef21d9de6f0ec80681aa53c6d523f5973f
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-