General

  • Target

    2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe

  • Size

    6.1MB

  • Sample

    220517-qce7baehcp

  • MD5

    5f9e61796a21e65f9a03f92ee6a8f6d8

  • SHA1

    d6032fd04db0fbb6195b6e8d31491a3fc289f1ce

  • SHA256

    2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

  • SHA512

    402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://supportnimbuzz.hexat.com/3/Att.jpg

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

ameen.myftp.biz:7788

Mutex

76420c32f4f

Attributes
  • reg_key

    76420c32f4f

  • splitter

    @!#&^%$

Targets

    • Target

      2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe

    • Size

      6.1MB

    • MD5

      5f9e61796a21e65f9a03f92ee6a8f6d8

    • SHA1

      d6032fd04db0fbb6195b6e8d31491a3fc289f1ce

    • SHA256

      2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

    • SHA512

      402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks