General

  • Target

    0fe3094ee68392786020fb395f1cf681.exe

  • Size

    37KB

  • Sample

    220912-pzmdgadcb8

  • MD5

    0fe3094ee68392786020fb395f1cf681

  • SHA1

    230a52a00e3c2aa975d2835b6aba9508c7eaab35

  • SHA256

    4e443210374817e3d5606899931ea207192faf062b7bbb3e68fb73a54b35afb5

  • SHA512

    fc26548a4e09d25866fa411a53a7f14bf8141752316e67e4cbb54b008d26aea01bdef9f43f1415d104650195cc83673eb26a81397211a5c9db6edbd412850fd9

  • SSDEEP

    384:CfBsiDfT95hL5YyUvd3fPOM4CcpBArAF+rMRTyN/0L+EcoinblneHQM3epzX1Nrs:65v5zUvd3z1crArM+rMRa8Nu7ut

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

cash-title.at.playit.gg:21584

Mutex

dcd901a8dd7dd9974388b300e245f973

Attributes
  • reg_key

    dcd901a8dd7dd9974388b300e245f973

  • splitter

    |'|'|

Targets

    • Target

      0fe3094ee68392786020fb395f1cf681.exe

    • Size

      37KB

    • MD5

      0fe3094ee68392786020fb395f1cf681

    • SHA1

      230a52a00e3c2aa975d2835b6aba9508c7eaab35

    • SHA256

      4e443210374817e3d5606899931ea207192faf062b7bbb3e68fb73a54b35afb5

    • SHA512

      fc26548a4e09d25866fa411a53a7f14bf8141752316e67e4cbb54b008d26aea01bdef9f43f1415d104650195cc83673eb26a81397211a5c9db6edbd412850fd9

    • SSDEEP

      384:CfBsiDfT95hL5YyUvd3fPOM4CcpBArAF+rMRTyN/0L+EcoinblneHQM3epzX1Nrs:65v5zUvd3z1crArM+rMRa8Nu7ut

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks