General

  • Target

    f2a05c5f1219aaffda9e5a342e987095276efe7e1977bdd636bd15dbc6047b95

  • Size

    23KB

  • Sample

    221003-ar46zsadel

  • MD5

    6f99b978e519e45e7d72b153d66edb70

  • SHA1

    f87fce0d180c1be2ac06c852c1423522a8699da5

  • SHA256

    f2a05c5f1219aaffda9e5a342e987095276efe7e1977bdd636bd15dbc6047b95

  • SHA512

    b9b5429bcee8e0f030b0a66540c04a8ac738f3f6941225bad315e488ff75e8b13194fe39b12e11ddd21510863498920d7c35b9f95c27c1c3585fb5ecc032fd08

  • SSDEEP

    384:HsqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZjW:cf65K2Yf1jKRpcnut

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

potdark.no-ip.org:1999

Mutex

1551c651c5ab849c23fad8dbba1720e8

Attributes
  • reg_key

    1551c651c5ab849c23fad8dbba1720e8

  • splitter

    |'|'|

Targets

    • Target

      f2a05c5f1219aaffda9e5a342e987095276efe7e1977bdd636bd15dbc6047b95

    • Size

      23KB

    • MD5

      6f99b978e519e45e7d72b153d66edb70

    • SHA1

      f87fce0d180c1be2ac06c852c1423522a8699da5

    • SHA256

      f2a05c5f1219aaffda9e5a342e987095276efe7e1977bdd636bd15dbc6047b95

    • SHA512

      b9b5429bcee8e0f030b0a66540c04a8ac738f3f6941225bad315e488ff75e8b13194fe39b12e11ddd21510863498920d7c35b9f95c27c1c3585fb5ecc032fd08

    • SSDEEP

      384:HsqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZjW:cf65K2Yf1jKRpcnut

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks