General

  • Target

    Server.bin

  • Size

    93KB

  • Sample

    220706-fzm6bsbbc5

  • MD5

    edaf154b94f8808071e089661c89412e

  • SHA1

    31b1c1eefe489f1f348002d5b01870b268b24ca0

  • SHA256

    20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

  • SHA512

    8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By CobrA 217

C2

Y29icmFzc3Nzc3Nzc3Nzcy5kZG5zLm5ldAStrikStrik:MTE3Nw==

Mutex

3a080181c5938cd7611a562e79328fc0

Attributes
  • reg_key

    3a080181c5938cd7611a562e79328fc0

  • splitter

    |'|'|

Targets

    • Target

      Server.bin

    • Size

      93KB

    • MD5

      edaf154b94f8808071e089661c89412e

    • SHA1

      31b1c1eefe489f1f348002d5b01870b268b24ca0

    • SHA256

      20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

    • SHA512

      8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Modify Existing Service

1
T1031

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks