General

  • Target

    dfa041441341667ccad6f97423727d8f0d345e4af967ed8b389d472285d9151b

  • Size

    23KB

  • Sample

    221029-yjw3eaced9

  • MD5

    8385e62092d6cc0e2c901a7b1f1b0770

  • SHA1

    3dd182bdda0786a58053c1ede1113e9440fcad2c

  • SHA256

    dfa041441341667ccad6f97423727d8f0d345e4af967ed8b389d472285d9151b

  • SHA512

    3ed2da81dc9c8ea429da04e3b1c1499333dd6749d31026d6461dbe5332551a7f4d7c0f4ff751ee1696587e9e9e1f22610df4ceec1b3db095edfecfa01ec9e5ba

  • SSDEEP

    384:DweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZB3:ULq411eRpcnuS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hack

C2

fuck10.no-ip.biz:50000

Mutex

219f889719b292a44f79b3e5d6ea87d4

Attributes
  • reg_key

    219f889719b292a44f79b3e5d6ea87d4

  • splitter

    |'|'|

Targets

    • Target

      dfa041441341667ccad6f97423727d8f0d345e4af967ed8b389d472285d9151b

    • Size

      23KB

    • MD5

      8385e62092d6cc0e2c901a7b1f1b0770

    • SHA1

      3dd182bdda0786a58053c1ede1113e9440fcad2c

    • SHA256

      dfa041441341667ccad6f97423727d8f0d345e4af967ed8b389d472285d9151b

    • SHA512

      3ed2da81dc9c8ea429da04e3b1c1499333dd6749d31026d6461dbe5332551a7f4d7c0f4ff751ee1696587e9e9e1f22610df4ceec1b3db095edfecfa01ec9e5ba

    • SSDEEP

      384:DweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZB3:ULq411eRpcnuS

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks