General

  • Target

    b237ec675782b2838334ada129395bed05735f4a98aee73b298f5af1e7671d8a

  • Size

    122KB

  • Sample

    221123-syh67sce72

  • MD5

    206014e7ab2fe5d041243825bce098a7

  • SHA1

    0c0b60ae4221c0919d2416cfd0875b1952dce6b7

  • SHA256

    b237ec675782b2838334ada129395bed05735f4a98aee73b298f5af1e7671d8a

  • SHA512

    0a5639278217b5d867e00037f001764affb53a0108ae0d23d625b234031bf5b04deab80464ea40ca9223714ef5301c9067fea7ca6b8a3969cce4329009dcfb85

  • SSDEEP

    3072:OQnBxmQr8ScHEdwrBhSa+c7iPM2mkOAHsM9R7:lsw6rbb+uYZ9R

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

ahmed-070.no-ip.biz:7777

Mutex

57b6c8d9ab3bb159df550fcc8f61f6a2

Attributes
  • reg_key

    57b6c8d9ab3bb159df550fcc8f61f6a2

  • splitter

    |'|'|

Targets

    • Target

      b237ec675782b2838334ada129395bed05735f4a98aee73b298f5af1e7671d8a

    • Size

      122KB

    • MD5

      206014e7ab2fe5d041243825bce098a7

    • SHA1

      0c0b60ae4221c0919d2416cfd0875b1952dce6b7

    • SHA256

      b237ec675782b2838334ada129395bed05735f4a98aee73b298f5af1e7671d8a

    • SHA512

      0a5639278217b5d867e00037f001764affb53a0108ae0d23d625b234031bf5b04deab80464ea40ca9223714ef5301c9067fea7ca6b8a3969cce4329009dcfb85

    • SSDEEP

      3072:OQnBxmQr8ScHEdwrBhSa+c7iPM2mkOAHsM9R7:lsw6rbb+uYZ9R

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks