General

  • Target

    56a93141da5e548bbb1b51d75c1c6eb4.exe

  • Size

    37KB

  • Sample

    220730-2ehk1abad2

  • MD5

    56a93141da5e548bbb1b51d75c1c6eb4

  • SHA1

    220b3777cd9a82fb7ec3df41fe5671afbbff48e5

  • SHA256

    e9bf3fc00ed911d03f986e4ee8bc199835d75b2772c4089351a3e81f6a723558

  • SHA512

    48829aed487046290e28ab2e1e6db0f2084721e7fbf4766d148f17531dcca5fbc0e63cfdfbd9d9574a7c551320eb488e130be2f2776138abde7901bed5227abd

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

6.tcp.eu.ngrok.io:12180

Mutex

27a24c123d1e61d690116d6e2ecb6791

Attributes
  • reg_key

    27a24c123d1e61d690116d6e2ecb6791

  • splitter

    |'|'|

Targets

    • Target

      56a93141da5e548bbb1b51d75c1c6eb4.exe

    • Size

      37KB

    • MD5

      56a93141da5e548bbb1b51d75c1c6eb4

    • SHA1

      220b3777cd9a82fb7ec3df41fe5671afbbff48e5

    • SHA256

      e9bf3fc00ed911d03f986e4ee8bc199835d75b2772c4089351a3e81f6a723558

    • SHA512

      48829aed487046290e28ab2e1e6db0f2084721e7fbf4766d148f17531dcca5fbc0e63cfdfbd9d9574a7c551320eb488e130be2f2776138abde7901bed5227abd

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks