General

  • Target

    0b2a16e1bd03efa2d2cfce1b5934f9acaf95a9ca2eca8a14e14917e6007c117d

  • Size

    43KB

  • Sample

    220520-w9ke7afbdj

  • MD5

    10bdf19e3eab9e4865f6c547d200983c

  • SHA1

    f36a5d705d880393bad7d08d65c976e8608d52ab

  • SHA256

    0b2a16e1bd03efa2d2cfce1b5934f9acaf95a9ca2eca8a14e14917e6007c117d

  • SHA512

    480130ef268d5e36fa3a6550ca95e0205d1b9f760522e6a7fd4d7c9bf8be1ac6d0698ca0a1a13a0cc80961802270fae33875a33c822b3c493ecce89225a36c7d

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

kingoravrus.ddns.net:1177

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      0b2a16e1bd03efa2d2cfce1b5934f9acaf95a9ca2eca8a14e14917e6007c117d

    • Size

      43KB

    • MD5

      10bdf19e3eab9e4865f6c547d200983c

    • SHA1

      f36a5d705d880393bad7d08d65c976e8608d52ab

    • SHA256

      0b2a16e1bd03efa2d2cfce1b5934f9acaf95a9ca2eca8a14e14917e6007c117d

    • SHA512

      480130ef268d5e36fa3a6550ca95e0205d1b9f760522e6a7fd4d7c9bf8be1ac6d0698ca0a1a13a0cc80961802270fae33875a33c822b3c493ecce89225a36c7d

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks