General

  • Target

    b989b4de1782197d56883c42bf6827ddba68644a7a9d782964ea869ddd51118d

  • Size

    106KB

  • Sample

    220731-hsshkseefj

  • MD5

    aaf561a237e49f5eda6de8ea0896db90

  • SHA1

    80c59f9e44254bc210c7c3b10028265fa857237b

  • SHA256

    b989b4de1782197d56883c42bf6827ddba68644a7a9d782964ea869ddd51118d

  • SHA512

    f25cc11efbd4075e7794577bf56e355dff456223eef0f3d63e299d108b8423fc6137d403204f15089b3130f550dc063333e105aed8cb7479d9c8f03a0dfc0fe7

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

bG9senRlYW0xLmhvcHRvLm9yZwStrikStrik:NTU1Mg==

Mutex

6c54813d91630553f111a8f411f5377f

Attributes
  • reg_key

    6c54813d91630553f111a8f411f5377f

  • splitter

    |'|'|

Targets

    • Target

      b989b4de1782197d56883c42bf6827ddba68644a7a9d782964ea869ddd51118d

    • Size

      106KB

    • MD5

      aaf561a237e49f5eda6de8ea0896db90

    • SHA1

      80c59f9e44254bc210c7c3b10028265fa857237b

    • SHA256

      b989b4de1782197d56883c42bf6827ddba68644a7a9d782964ea869ddd51118d

    • SHA512

      f25cc11efbd4075e7794577bf56e355dff456223eef0f3d63e299d108b8423fc6137d403204f15089b3130f550dc063333e105aed8cb7479d9c8f03a0dfc0fe7

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Modify Existing Service

1
T1031

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks