0x0006000000004ed7-55.dat

General
Target

0x0006000000004ed7-55.dat

Size

37KB

Sample

220521-ttv6msabc5

Score
10 /10
MD5

05d1abc69e538eb3c86bfeacc33c2a10

SHA1

f424222562968f86d5d043cce57b1a0389061150

SHA256

cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

SHA512

e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

Malware Config

Extracted

Family njrat
Version im523
Botnet WormRATT
C2

178.33.93.88:1742

Attributes
reg_key
7869d44e9b90d6b1e669bf52c9e89c61
splitter
|'|'|
Targets
Target

0x0006000000004ed7-55.dat

MD5

05d1abc69e538eb3c86bfeacc33c2a10

Filesize

37KB

Score
10/10
SHA1

f424222562968f86d5d043cce57b1a0389061150

SHA256

cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

SHA512

e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

Tags

Signatures

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Privilege Escalation
                  Tasks