General

  • Target

    f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848

  • Size

    29KB

  • Sample

    220731-f1lc5abdbk

  • MD5

    56b48e11484f9de5271ec5b299fdb2f8

  • SHA1

    ee065c111bc8bf007a2f0a34db37436f1c530968

  • SHA256

    f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848

  • SHA512

    dff379f4ca929dece1b9360dc02e890970c1e00a00e6c8ca5506c3e2bf0060a3f627905204a2dab715758e07328b53313b830e903d556eee5a10978203846d94

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

ddas.ddns.net:2700

Mutex

664661b4c81638bcf0bec04457373cd7

Attributes
  • reg_key

    664661b4c81638bcf0bec04457373cd7

  • splitter

    |'|'|

Targets

    • Target

      f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848

    • Size

      29KB

    • MD5

      56b48e11484f9de5271ec5b299fdb2f8

    • SHA1

      ee065c111bc8bf007a2f0a34db37436f1c530968

    • SHA256

      f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848

    • SHA512

      dff379f4ca929dece1b9360dc02e890970c1e00a00e6c8ca5506c3e2bf0060a3f627905204a2dab715758e07328b53313b830e903d556eee5a10978203846d94

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks