General

  • Target

    009f8928b2e3dbdaec6c166e820445d0.exe

  • Size

    37KB

  • Sample

    220727-g4bhrseef7

  • MD5

    009f8928b2e3dbdaec6c166e820445d0

  • SHA1

    ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315

  • SHA256

    952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047

  • SHA512

    3bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

eidnafa522.ddns.net:5552

Mutex

4a7bbceff6cedc909e9ef3cb6a805541

Attributes
  • reg_key

    4a7bbceff6cedc909e9ef3cb6a805541

  • splitter

    |'|'|

Targets

    • Target

      009f8928b2e3dbdaec6c166e820445d0.exe

    • Size

      37KB

    • MD5

      009f8928b2e3dbdaec6c166e820445d0

    • SHA1

      ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315

    • SHA256

      952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047

    • SHA512

      3bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks