General

  • Target

    Heart-Sender Priv8 Version.zip

  • Size

    387KB

  • Sample

    220915-j7jpnacdd4

  • MD5

    a43b0ad4a3b89c94bbe85f54e9839472

  • SHA1

    00aedb47137ed4a75400caea23a31797ea388d7c

  • SHA256

    c30250a18d472e5c8379e8eaa939e0bf3cc87cfe991da6deba491a092afb0611

  • SHA512

    e3aad6d5d5b01d203aa19b7facdccd59dc5569d22ebb6d2c6c87f60c1ec9820cdf66f0068b355386bb0a4d4229a31161cf97e16aa4d1568d0675def29ac1ab92

  • SSDEEP

    12288:vYJcM8SLF5tTwvZKp7yXaJHJtjl05T9CK:vY2QLFjw0p7jJHJNl05YK

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

newpartyfrmaap.ddns.net:7070

Mutex

fb4647cd59a8f29058f4529d83344fa5

Attributes
  • reg_key

    fb4647cd59a8f29058f4529d83344fa5

  • splitter

    |'|'|

Targets

    • Target

      Heart-Sender Priv8 Version/Heart-Sender-V1.2.exe

    • Size

      1MB

    • MD5

      175d1484e55c5b6f16bff5631b92c171

    • SHA1

      b11901746a8143c558877ea42dfa1221874bfba5

    • SHA256

      7119d9570d888f5ffcb8f3c54d8d962fc87d83fbdd34c96b951acb3d2889777f

    • SHA512

      93fa8f0b5401ef5d6069bfecec897267fae61888d82058973687bb13bcfa684d3c29249703774c889efe5ae91efda0957098f1c3fd4d7a0eccec86184104537c

    • SSDEEP

      12288:+7qKAAwzaQa3lsZtsW2NH8d98AsmZF3ARZ0AsEye7Zm8TPXWP:2xJwzaQa3Pc98pmZFQ3WP

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks