General

  • Target

    9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

  • Size

    699KB

  • Sample

    221002-13lrwscge2

  • MD5

    5abd9a7429df3a6f3fab1c4da9740e2e

  • SHA1

    b6c1833a87cc3f904bfe8356c677cd4f57b3aafd

  • SHA256

    9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

  • SHA512

    7810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Slaves1

C2

zafarullah.zapto.org:1604

Attributes
reg_key
d2af1d61020cbaaa665444e49c2e50d8
splitter
|'|'|

Targets

    • Target

      9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

    • Size

      699KB

    • MD5

      5abd9a7429df3a6f3fab1c4da9740e2e

    • SHA1

      b6c1833a87cc3f904bfe8356c677cd4f57b3aafd

    • SHA256

      9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371

    • SHA512

      7810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation