General

  • Target

    6e0b69032f1c0c4fb88b567491628c27848f853f8b5f056ec033ac31f858fbc7

  • Size

    608KB

  • Sample

    220701-h41ckahedk

  • MD5

    9cb2e4bbd5b87385d966fd1087166505

  • SHA1

    18334afaa211687989c4bf4530493a5587cf71a8

  • SHA256

    6e0b69032f1c0c4fb88b567491628c27848f853f8b5f056ec033ac31f858fbc7

  • SHA512

    2c1a131b2227341dfea6fef9eea5b71dd1ac1978766e468a4e755bd86c99a4a4db8f43533829c54f1973eeeb353af0fb4f8677877db53c3bd97b307e2d1755c0

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

XmasMoney

C2

185.244.30.248:4040

Mutex

65846043dcc7fda8dafdf43614eb84ef

Attributes
  • reg_key

    65846043dcc7fda8dafdf43614eb84ef

  • splitter

    |'|'|

Targets

    • Target

      6e0b69032f1c0c4fb88b567491628c27848f853f8b5f056ec033ac31f858fbc7

    • Size

      608KB

    • MD5

      9cb2e4bbd5b87385d966fd1087166505

    • SHA1

      18334afaa211687989c4bf4530493a5587cf71a8

    • SHA256

      6e0b69032f1c0c4fb88b567491628c27848f853f8b5f056ec033ac31f858fbc7

    • SHA512

      2c1a131b2227341dfea6fef9eea5b71dd1ac1978766e468a4e755bd86c99a4a4db8f43533829c54f1973eeeb353af0fb4f8677877db53c3bd97b307e2d1755c0

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks