General

  • Target

    5b30914f3bb2dc4ad5fb605bc92dfc89a292020de515651ab404c29a25884f9d

  • Size

    23KB

  • Sample

    220802-a1jxeabfh3

  • MD5

    8d2da64f6d2d389fef00162e2960c8f6

  • SHA1

    1568a39f7540a3899672ba4b11d2b17024c21ecb

  • SHA256

    5b30914f3bb2dc4ad5fb605bc92dfc89a292020de515651ab404c29a25884f9d

  • SHA512

    41ddbab2b05dd0771d6e89ce8362a41ec96f2c6846a1cba4a7fb1dbd65825e8966d74d196900a71a53e846d92c76382e19ed7abaaf169d7720badc5c20ebe5d8

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.30.83.230:5552

Mutex

0b1143fb4c2dc7f8c57479777e842f82

Attributes
  • reg_key

    0b1143fb4c2dc7f8c57479777e842f82

  • splitter

    |'|'|

Targets

    • Target

      5b30914f3bb2dc4ad5fb605bc92dfc89a292020de515651ab404c29a25884f9d

    • Size

      23KB

    • MD5

      8d2da64f6d2d389fef00162e2960c8f6

    • SHA1

      1568a39f7540a3899672ba4b11d2b17024c21ecb

    • SHA256

      5b30914f3bb2dc4ad5fb605bc92dfc89a292020de515651ab404c29a25884f9d

    • SHA512

      41ddbab2b05dd0771d6e89ce8362a41ec96f2c6846a1cba4a7fb1dbd65825e8966d74d196900a71a53e846d92c76382e19ed7abaaf169d7720badc5c20ebe5d8

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks