Description
Widely used RAT written in .NET.
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
General
Target
Size
Sample
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
6MB
220517-qce7baehcp
Score
10 /10
MD5
SHA1
SHA256
SHA512
5f9e61796a21e65f9a03f92ee6a8f6d8
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Malware Config
Extracted
| Language | ps1 |
| Deobfuscated |
|
| URLs |
ps1.dropper
http://supportnimbuzz.hexat.com/3/Att.jpg |
Extracted
| Family | njrat |
| Version | 0.7NC |
| Botnet | NYAN CAT |
| C2 |
ameen.myftp.biz:7788 |
| Attributes |
reg_key 76420c32f4f
splitter @!#&^%$ |
Targets
Target
MD5
Filesize
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
5f9e61796a21e65f9a03f92ee6a8f6d8
6MB
Score
10/10
SHA1
SHA256
SHA512
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Tags
Signatures
-
njRAT/Bladabindi
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Description
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Tags
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks