General

  • Target

    HEUR-Backdoor.MSIL.Bladabindi.gen-1164dc6c14d.exe

  • Size

    1.4MB

  • Sample

    220914-yd4kasbbe9

  • MD5

    d1d34d4b2632b015feec87ff62cfe143

  • SHA1

    19531f092784d7f52cf1df89d180f0e63ec43142

  • SHA256

    1164dc6c14d548b7528a2441a822961d663f478520502fc06b3a0e12afa42111

  • SHA512

    626a3d331b360028aa66e0ca0b2ff8185dacbb02e45d5d5f9bea6bf400cba02bbc00ddd6fe2daa77d103d25179b64235689085961968e1649abd12d6015c9dab

  • SSDEEP

    24576:MAw9HGAUKXNphFY5tysivoyN1DHuMl36I9R+AdI/3:M/NSauMl3rTi

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

0.tcp.ngrok.io:17413

Mutex

ed0dbeeaea86b7db8fabde04117ddf70

Attributes
  • reg_key

    ed0dbeeaea86b7db8fabde04117ddf70

  • splitter

    |'|'|

Targets

    • Target

      HEUR-Backdoor.MSIL.Bladabindi.gen-1164dc6c14d.exe

    • Size

      1.4MB

    • MD5

      d1d34d4b2632b015feec87ff62cfe143

    • SHA1

      19531f092784d7f52cf1df89d180f0e63ec43142

    • SHA256

      1164dc6c14d548b7528a2441a822961d663f478520502fc06b3a0e12afa42111

    • SHA512

      626a3d331b360028aa66e0ca0b2ff8185dacbb02e45d5d5f9bea6bf400cba02bbc00ddd6fe2daa77d103d25179b64235689085961968e1649abd12d6015c9dab

    • SSDEEP

      24576:MAw9HGAUKXNphFY5tysivoyN1DHuMl36I9R+AdI/3:M/NSauMl3rTi

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks