General

  • Target

    c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de

  • Size

    23KB

  • Sample

    220520-g3pc8sdge5

  • MD5

    e3d0d1c17ebe317669282b73a51235b0

  • SHA1

    e63afae6b1df2ffe1fac49ac1fffe14c52e10dec

  • SHA256

    c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de

  • SHA512

    4bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

kryptokrypto123.ddns.net:5552

Mutex

c6dfbab76abb2fb1938d3e35b1bb6f3a

Attributes
  • reg_key

    c6dfbab76abb2fb1938d3e35b1bb6f3a

  • splitter

    |'|'|

Targets

    • Target

      c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de

    • Size

      23KB

    • MD5

      e3d0d1c17ebe317669282b73a51235b0

    • SHA1

      e63afae6b1df2ffe1fac49ac1fffe14c52e10dec

    • SHA256

      c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de

    • SHA512

      4bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks