General
-
Target
achwithrat.exe
-
Size
1020KB
-
Sample
220714-1ml3qabcan
-
MD5
e409c85a0d1dcf43d2ed11c436e9aabe
-
SHA1
a221ecf82df1650b6a34b15cfcf052581d316aa6
-
SHA256
41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
-
SHA512
9ff191e371c097fdc9627ee817c6a774e24b880fc09a4e41faf37cfc4046e9c499cf2f14f9e720f71c288cc70cd3e4664c68c39df6aceeefe57aecd24022e828
Malware Config
Extracted
njrat
im523
gay
4.tcp.eu.ngrok.io:10296
f61a5d905ecbb8c8be462972af515144
-
reg_key
f61a5d905ecbb8c8be462972af515144
-
splitter
|'|'|
Targets
-
-
Target
achwithrat.exe
-
Size
1020KB
-
MD5
e409c85a0d1dcf43d2ed11c436e9aabe
-
SHA1
a221ecf82df1650b6a34b15cfcf052581d316aa6
-
SHA256
41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
-
SHA512
9ff191e371c097fdc9627ee817c6a774e24b880fc09a4e41faf37cfc4046e9c499cf2f14f9e720f71c288cc70cd3e4664c68c39df6aceeefe57aecd24022e828
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-