General

  • Target

    61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

  • Size

    23KB

  • Sample

    220730-ynj9eaegej

  • MD5

    20790f1a5c5557ef801926d7ce1e4498

  • SHA1

    936eae636323d512932d84a45a930626a684b2a9

  • SHA256

    61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

  • SHA512

    9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

na33waaf.no-ip.biz:2485

Mutex

efb8374654449498f987b4a0e64f2f90

Attributes
  • reg_key

    efb8374654449498f987b4a0e64f2f90

  • splitter

    |'|'|

Targets

    • Target

      61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

    • Size

      23KB

    • MD5

      20790f1a5c5557ef801926d7ce1e4498

    • SHA1

      936eae636323d512932d84a45a930626a684b2a9

    • SHA256

      61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

    • SHA512

      9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks