General

  • Target

    9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

  • Size

    699KB

  • Sample

    221002-13lrwscge2

  • MD5

    5abd9a7429df3a6f3fab1c4da9740e2e

  • SHA1

    b6c1833a87cc3f904bfe8356c677cd4f57b3aafd

  • SHA256

    9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

  • SHA512

    7810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de

  • SSDEEP

    12288:IhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a6AiDyc:wRmJkcoQricOIQxiZY1iaDiDyc

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Slaves1

C2

zafarullah.zapto.org:1604

Mutex

d2af1d61020cbaaa665444e49c2e50d8

Attributes
  • reg_key

    d2af1d61020cbaaa665444e49c2e50d8

  • splitter

    |'|'|

Targets

    • Target

      9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

    • Size

      699KB

    • MD5

      5abd9a7429df3a6f3fab1c4da9740e2e

    • SHA1

      b6c1833a87cc3f904bfe8356c677cd4f57b3aafd

    • SHA256

      9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

    • SHA512

      7810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de

    • SSDEEP

      12288:IhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a6AiDyc:wRmJkcoQricOIQxiZY1iaDiDyc

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Tasks