General

  • Target

    3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed

  • Size

    1MB

  • Sample

    220520-ptxl9abgb3

  • MD5

    bed8273f6aa0838212bfd15422318320

  • SHA1

    ba3abe75066d40dd95ebe7b6a601fe005b4d2dfd

  • SHA256

    3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed

  • SHA512

    6aa2021b5c559c856e53925f710646db430ca35f1bbe81f334e8275a3f9e9dded58bfb3c5839f9c7d453a2a8e69cdee67b43d3e4c9727c0a813f7ac2b14d2039

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

31.10.120.162:5555

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed

    • Size

      1MB

    • MD5

      bed8273f6aa0838212bfd15422318320

    • SHA1

      ba3abe75066d40dd95ebe7b6a601fe005b4d2dfd

    • SHA256

      3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed

    • SHA512

      6aa2021b5c559c856e53925f710646db430ca35f1bbe81f334e8275a3f9e9dded58bfb3c5839f9c7d453a2a8e69cdee67b43d3e4c9727c0a813f7ac2b14d2039

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks