General

  • Target

    5.exe

  • Size

    37KB

  • Sample

    220326-hn97tsebgj

  • MD5

    e817d74d13c658890ff3a4c01ab44c62

  • SHA1

    bf0b97392e7d56eee0b63dc65efff4db883cb0c7

  • SHA256

    2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

  • SHA512

    8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Bot

C2

DanilWhiteNjrat-57320.portmap.host:57320

Mutex

802f813d3810aa536753efbd3390b541

Attributes
  • reg_key

    802f813d3810aa536753efbd3390b541

  • splitter

    |'|'|

Targets

    • Target

      5.exe

    • Size

      37KB

    • MD5

      e817d74d13c658890ff3a4c01ab44c62

    • SHA1

      bf0b97392e7d56eee0b63dc65efff4db883cb0c7

    • SHA256

      2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

    • SHA512

      8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks