General

  • Target

    db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e

  • Size

    43KB

  • Sample

    220520-evgbjshdh5

  • MD5

    71152f3b9a20b6bdf15451f7fefceeb5

  • SHA1

    f1bfb4bbf23866b97cee0fb39895f365377003e9

  • SHA256

    db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e

  • SHA512

    1efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

???

C2

127.0.0.1:6626

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e

    • Size

      43KB

    • MD5

      71152f3b9a20b6bdf15451f7fefceeb5

    • SHA1

      f1bfb4bbf23866b97cee0fb39895f365377003e9

    • SHA256

      db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e

    • SHA512

      1efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks