General
-
Target
7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c
-
Size
212KB
-
Sample
221124-eyjk3sca5s
-
MD5
db55fb022d74a642daa9169663d736ae
-
SHA1
31d51d14c6c0707728ff948704522ef81cbd62e2
-
SHA256
7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c
-
SHA512
1d0d23758010b21ae34f2357d58761c2a8e6f99a3245ac20eaeec84b8be0af7686f8ac258f9a2ecfe09e1d87dabb8429e8cda41faf90988f3c8927f7ef060cb2
-
SSDEEP
3072:quhMi/KTBwAbez+mzPG81Z8cfkvv2aSWQUnKaOAZ3VqDcQUnnnnjnnnnnnT63:DSiSTB10+mDnfSDSzUncg4
Malware Config
Extracted
njrat
0.6.4
svchot
salouh-20.no-ip.org:1177
6e1ce27bcc6ff5920e6f5b65cc3a57bd
-
reg_key
6e1ce27bcc6ff5920e6f5b65cc3a57bd
-
splitter
|'|'|
Targets
-
-
Target
7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c
-
Size
212KB
-
MD5
db55fb022d74a642daa9169663d736ae
-
SHA1
31d51d14c6c0707728ff948704522ef81cbd62e2
-
SHA256
7030965b5c24c8240e7e1b3a03e4e7ef7f67995f2247623e6e3a41d0d1e3488c
-
SHA512
1d0d23758010b21ae34f2357d58761c2a8e6f99a3245ac20eaeec84b8be0af7686f8ac258f9a2ecfe09e1d87dabb8429e8cda41faf90988f3c8927f7ef060cb2
-
SSDEEP
3072:quhMi/KTBwAbez+mzPG81Z8cfkvv2aSWQUnKaOAZ3VqDcQUnnnnjnnnnnnT63:DSiSTB10+mDnfSDSzUncg4
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-