General

  • Target

    0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f

  • Size

    290KB

  • Sample

    221003-srekfaceh4

  • MD5

    6a890900f264d91b22368ece3b4c2ec0

  • SHA1

    c7f9facce25fde3e168068beb8e2e0d002a1fc80

  • SHA256

    0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f

  • SHA512

    1addbf55230369de0e8fe5e572595b3b20248bcce4c824e1ab3a8deeb73dfa678034cfbee953cee79b439a7bde4b678df0c947b60a7fde9e6f6fcf89c16ba87e

  • SSDEEP

    3072:nMY0O8BEMxRURH1S6Ll65S69q/N6LcaubmmeeleYugci1ze7AdkddcdrFWJw7rr/:MY03M1S6kL1OEG2xFjX9M

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

victime

C2

badprince.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes
  • reg_key

    5cd8f17f4086744065eb0992a09e05a2

  • splitter

    |'|'|

Targets

    • Target

      0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f

    • Size

      290KB

    • MD5

      6a890900f264d91b22368ece3b4c2ec0

    • SHA1

      c7f9facce25fde3e168068beb8e2e0d002a1fc80

    • SHA256

      0289a8b04866b8426c003247d27b58ea05d4f3765e30c0c414380c833b9e516f

    • SHA512

      1addbf55230369de0e8fe5e572595b3b20248bcce4c824e1ab3a8deeb73dfa678034cfbee953cee79b439a7bde4b678df0c947b60a7fde9e6f6fcf89c16ba87e

    • SSDEEP

      3072:nMY0O8BEMxRURH1S6Ll65S69q/N6LcaubmmeeleYugci1ze7AdkddcdrFWJw7rr/:MY03M1S6kL1OEG2xFjX9M

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks