General
-
Target
32e70cd9a91470daaa68b67e2860c74412e5f67b5cdfda1e8ba2f4b12d684dc8
-
Size
396KB
-
Sample
221003-btmv6acafq
-
MD5
02fbd7f5af1730d8ad605ebdbe7d5ed0
-
SHA1
1859b6f22073ebfc3beff869699dc6aec53da2ae
-
SHA256
32e70cd9a91470daaa68b67e2860c74412e5f67b5cdfda1e8ba2f4b12d684dc8
-
SHA512
a545dad9a14bad63a65a60e65bfc9446e8ee3fdf520ddc357dd8270979849a25adf13f1eecafbbc95ae5d37a5c438de059ca0dd5a874e69182aa7e28b1f92cf3
-
SSDEEP
12288:An+roSCwiBAr+XPgM2WSO8+OXw5QDog9z:AG6wiY+XZ2E8HGQ3
Malware Config
Extracted
njrat
0.6.4
tabassss
yassineouhani.no-ip.biz:1177
d5a38e9b5f206c41f8851bf04a251d26
-
reg_key
d5a38e9b5f206c41f8851bf04a251d26
-
splitter
|'|'|
Targets
-
-
Target
32e70cd9a91470daaa68b67e2860c74412e5f67b5cdfda1e8ba2f4b12d684dc8
-
Size
396KB
-
MD5
02fbd7f5af1730d8ad605ebdbe7d5ed0
-
SHA1
1859b6f22073ebfc3beff869699dc6aec53da2ae
-
SHA256
32e70cd9a91470daaa68b67e2860c74412e5f67b5cdfda1e8ba2f4b12d684dc8
-
SHA512
a545dad9a14bad63a65a60e65bfc9446e8ee3fdf520ddc357dd8270979849a25adf13f1eecafbbc95ae5d37a5c438de059ca0dd5a874e69182aa7e28b1f92cf3
-
SSDEEP
12288:An+roSCwiBAr+XPgM2WSO8+OXw5QDog9z:AG6wiY+XZ2E8HGQ3
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-