General

  • Target

    4ef9b32300bc30dcfc914b1d5666884fe46c0713a3ca6cfc217e6d0307734a46

  • Size

    83KB

  • Sample

    221120-lt379agc99

  • MD5

    19ab2fc47a795bcc8a2ff75ffb81f3c0

  • SHA1

    bd3a8d9e48bc3953a5995b270be1e20e202cd09d

  • SHA256

    4ef9b32300bc30dcfc914b1d5666884fe46c0713a3ca6cfc217e6d0307734a46

  • SHA512

    ac01e8c2003641bebc9feb1633f10477c41944ab787809d826c395d419710e51f9527d7e8b25c837ccfcdf4dec86899595c1cd5e6999aab8fa6493ede5eb82af

  • SSDEEP

    1536:IkTC5O7yf12f4UeQUumrDBVxk2P/wX8PMNCimIdvHZ9vi6u:IkTCVdzce+2PZExmivLvi6u

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

1

C2

choukiba.no-ip.org:5552

Mutex

d8692617e945f5bef6c8a7480b56b61e

Attributes
  • reg_key

    d8692617e945f5bef6c8a7480b56b61e

  • splitter

    |'|'|

Targets

    • Target

      4ef9b32300bc30dcfc914b1d5666884fe46c0713a3ca6cfc217e6d0307734a46

    • Size

      83KB

    • MD5

      19ab2fc47a795bcc8a2ff75ffb81f3c0

    • SHA1

      bd3a8d9e48bc3953a5995b270be1e20e202cd09d

    • SHA256

      4ef9b32300bc30dcfc914b1d5666884fe46c0713a3ca6cfc217e6d0307734a46

    • SHA512

      ac01e8c2003641bebc9feb1633f10477c41944ab787809d826c395d419710e51f9527d7e8b25c837ccfcdf4dec86899595c1cd5e6999aab8fa6493ede5eb82af

    • SSDEEP

      1536:IkTC5O7yf12f4UeQUumrDBVxk2P/wX8PMNCimIdvHZ9vi6u:IkTCVdzce+2PZExmivLvi6u

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks