General

  • Target

    bf718c38ce3220b1df02f0772365ecccfb5c3d7eb0a87e56674bbcdd0d066227

  • Size

    518KB

  • Sample

    220508-je9qdabcb9

  • MD5

    b3196f0ab1e0eeab4218b1626b796d10

  • SHA1

    81fc429e08a7e6b4b06010a89305facf0acaef48

  • SHA256

    bf718c38ce3220b1df02f0772365ecccfb5c3d7eb0a87e56674bbcdd0d066227

  • SHA512

    f59a4b29bd22c03976fc5543780abf5c46339dec4969a8e2214babe062e944aa29568f2943283b70682965afe53d9547d7a2c71cfd56b9f5f994915ac554903b

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

bozuksaatiniz.duckdns.org:1604

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      bf718c38ce3220b1df02f0772365ecccfb5c3d7eb0a87e56674bbcdd0d066227

    • Size

      518KB

    • MD5

      b3196f0ab1e0eeab4218b1626b796d10

    • SHA1

      81fc429e08a7e6b4b06010a89305facf0acaef48

    • SHA256

      bf718c38ce3220b1df02f0772365ecccfb5c3d7eb0a87e56674bbcdd0d066227

    • SHA512

      f59a4b29bd22c03976fc5543780abf5c46339dec4969a8e2214babe062e944aa29568f2943283b70682965afe53d9547d7a2c71cfd56b9f5f994915ac554903b

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks