General
-
Target
8b60c50f80470647d821b2eae1b794d6ccd20d21a936f0b1a9bb222d05e302dd
-
Size
147KB
-
Sample
221125-rl4rpsdc98
-
MD5
c006c68b06d9d1979cf5be224a726925
-
SHA1
817e0b895d7201f8e5cc2a7cddc7f9ed10a394b7
-
SHA256
8b60c50f80470647d821b2eae1b794d6ccd20d21a936f0b1a9bb222d05e302dd
-
SHA512
f3dc7b463332257a98a9d6e78fe442ea68f09f13a09d72388ca27e9197257e4c9b634d8dedcdeff929820598b1421816a94fd98fd639f65f75b7bfeccd0a48c3
-
SSDEEP
3072:3OAIPiMULBkZ25qcxC9M32GhNvDu0S3lUO9qCDb:3jAiMULBh5qc/2GhNU3lUC
Malware Config
Extracted
njrat
0.6.4
cLAEN
windows.waely.com:1009
926805a248e6ff862074529d07f3cf11
-
reg_key
926805a248e6ff862074529d07f3cf11
-
splitter
|'|'|
Targets
-
-
Target
8b60c50f80470647d821b2eae1b794d6ccd20d21a936f0b1a9bb222d05e302dd
-
Size
147KB
-
MD5
c006c68b06d9d1979cf5be224a726925
-
SHA1
817e0b895d7201f8e5cc2a7cddc7f9ed10a394b7
-
SHA256
8b60c50f80470647d821b2eae1b794d6ccd20d21a936f0b1a9bb222d05e302dd
-
SHA512
f3dc7b463332257a98a9d6e78fe442ea68f09f13a09d72388ca27e9197257e4c9b634d8dedcdeff929820598b1421816a94fd98fd639f65f75b7bfeccd0a48c3
-
SSDEEP
3072:3OAIPiMULBkZ25qcxC9M32GhNvDu0S3lUO9qCDb:3jAiMULBh5qc/2GhNU3lUC
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-