General

  • Target

    d1ccd57bb4a15797f9f98ca0c70e5a583da1059021fc653ebf1c4df52b99f66c

  • Size

    23KB

  • Sample

    220520-p6vcnafefn

  • MD5

    2f439cad99858b8480e905754318512b

  • SHA1

    36a84b10000b017fc278742b618f74099279a3b8

  • SHA256

    d1ccd57bb4a15797f9f98ca0c70e5a583da1059021fc653ebf1c4df52b99f66c

  • SHA512

    4fc3e6484f3f2eef9e4684794919bd746b99479e33fec0bcf29b675562a00aa11df644bc2f3a7f64341909e0ae7cb7dd9498e36ea0ae0e7b49cd955ac2adb2a2

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

mahmoodgngn.ddns.net:5552

Mutex

5d4074a49fd9ccea390001056b51d91c

Attributes
  • reg_key

    5d4074a49fd9ccea390001056b51d91c

  • splitter

    |'|'|

Targets

    • Target

      d1ccd57bb4a15797f9f98ca0c70e5a583da1059021fc653ebf1c4df52b99f66c

    • Size

      23KB

    • MD5

      2f439cad99858b8480e905754318512b

    • SHA1

      36a84b10000b017fc278742b618f74099279a3b8

    • SHA256

      d1ccd57bb4a15797f9f98ca0c70e5a583da1059021fc653ebf1c4df52b99f66c

    • SHA512

      4fc3e6484f3f2eef9e4684794919bd746b99479e33fec0bcf29b675562a00aa11df644bc2f3a7f64341909e0ae7cb7dd9498e36ea0ae0e7b49cd955ac2adb2a2

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks