Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    211325afecc4756847d5964f312e0a56.exe

  • Size

    1.1MB

  • Sample

    221008-tagh5sfagk

  • MD5

    211325afecc4756847d5964f312e0a56

  • SHA1

    c3479dcf0edf80bf3549c63c403e0b6c2d38e1dc

  • SHA256

    1cc62bcf5d8ec1beb8d7414e95aac964b31d0fcdca01f5dabfbd979ba7f44ad9

  • SHA512

    4baa3170c5d2462f48912b201493ea1c938aa8d946b9578543035e8592196c83fce4a15f0f7233e25c6302a900b4e47cc7dd83594e7d06fdac3a93a220b1a9eb

  • SSDEEP

    24576:DRSs5A7kY+1Bk6BJsOIbBBp2XyHTiYuRLwOvIYtZ:DxA7d+1Bk6pI1BAyZuRLEg

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

hackmine141

C2

6.tcp.eu.ngrok.io:16211

Mutex

85da80f4a8dee96549d096ddac33fdf4

Attributes
  • reg_key

    85da80f4a8dee96549d096ddac33fdf4

  • splitter

    |'|'|

Targets

    • Target

      211325afecc4756847d5964f312e0a56.exe

    • Size

      1.1MB

    • MD5

      211325afecc4756847d5964f312e0a56

    • SHA1

      c3479dcf0edf80bf3549c63c403e0b6c2d38e1dc

    • SHA256

      1cc62bcf5d8ec1beb8d7414e95aac964b31d0fcdca01f5dabfbd979ba7f44ad9

    • SHA512

      4baa3170c5d2462f48912b201493ea1c938aa8d946b9578543035e8592196c83fce4a15f0f7233e25c6302a900b4e47cc7dd83594e7d06fdac3a93a220b1a9eb

    • SSDEEP

      24576:DRSs5A7kY+1Bk6BJsOIbBBp2XyHTiYuRLwOvIYtZ:DxA7d+1Bk6pI1BAyZuRLEg

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks