General

  • Target

    04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01

  • Size

    43KB

  • Sample

    220520-fbgzeadbhn

  • MD5

    2c7e2f0618c5e97da339818408f8f280

  • SHA1

    5e6ea81e291b81bd7281e7c7a27812ab101af1e2

  • SHA256

    04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01

  • SHA512

    50dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

hack

C2

213.159.212.162:8472

Mutex

DriverStartup

Attributes
  • reg_key

    DriverStartup

  • splitter

    |Hassan|

Targets

    • Target

      04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01

    • Size

      43KB

    • MD5

      2c7e2f0618c5e97da339818408f8f280

    • SHA1

      5e6ea81e291b81bd7281e7c7a27812ab101af1e2

    • SHA256

      04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01

    • SHA512

      50dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks