General

  • Target

    a2b7067c9ed51dcf8eccb251da3bae89.exe

  • Size

    37KB

  • Sample

    220906-ggayqafgf7

  • MD5

    a2b7067c9ed51dcf8eccb251da3bae89

  • SHA1

    72dded4f4c1474804ab9508176a5587d71529d4b

  • SHA256

    d3895a176b088ccea8de7ff50cabe73195a0a56bf4d32482dbc47bdcef733dc2

  • SHA512

    609412d6e4147bf87cc8481c7fec9b9c39c540042879cbabc916b007942df21fcc0ed05f0cefe9e01b839ee3c9279368d4de9ccb19e1a7fe37a6bc3e82395d74

  • SSDEEP

    384:snu1HCiMT3jBVbJsy8PVAbAoJvzv7QyYdbrAF+rMRTyN/0L+EcoinblneHQM3epb:0hbJP8PVsAafVYJrM+rMRa8NuIGt

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HACK

C2

journal-serial.at.playit.gg:59826

Mutex

6b15523b39e3dae4db6cae2a109d2d5f

Attributes
  • reg_key

    6b15523b39e3dae4db6cae2a109d2d5f

  • splitter

    |'|'|

Targets

    • Target

      a2b7067c9ed51dcf8eccb251da3bae89.exe

    • Size

      37KB

    • MD5

      a2b7067c9ed51dcf8eccb251da3bae89

    • SHA1

      72dded4f4c1474804ab9508176a5587d71529d4b

    • SHA256

      d3895a176b088ccea8de7ff50cabe73195a0a56bf4d32482dbc47bdcef733dc2

    • SHA512

      609412d6e4147bf87cc8481c7fec9b9c39c540042879cbabc916b007942df21fcc0ed05f0cefe9e01b839ee3c9279368d4de9ccb19e1a7fe37a6bc3e82395d74

    • SSDEEP

      384:snu1HCiMT3jBVbJsy8PVAbAoJvzv7QyYdbrAF+rMRTyN/0L+EcoinblneHQM3epb:0hbJP8PVsAafVYJrM+rMRa8NuIGt

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks