General

  • Target

    ba4ad55b9b84dfc2484cd3558bb4a0b40bb4bfc7c712204e1a0512b8f05d781b

  • Size

    111KB

  • Sample

    221125-z1hf1sfc64

  • MD5

    f7645c8ccdb09cfae8f70d5a8f84c078

  • SHA1

    6be336396334983b4b3d22de6fb02688475d8023

  • SHA256

    ba4ad55b9b84dfc2484cd3558bb4a0b40bb4bfc7c712204e1a0512b8f05d781b

  • SHA512

    d6588df16b488aef63e3abfdc46b16b66c1c949f6a62b68865510b682a035612e700a0653026f3e7b835f8a2cc58e58f153ef5a4ee021beead63db8b3d9ca1a0

  • SSDEEP

    3072:tiBtzo/hK6UeoiXLQemnmpMOKlSbnnfW5:GWhKjWXMemmOOKlWf

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacK

C2

voip19.ddns.net:5552

Mutex

01d5da98c29544bb9318cf6408732310

Attributes
  • reg_key

    01d5da98c29544bb9318cf6408732310

  • splitter

    |'|'|

Targets

    • Target

      ba4ad55b9b84dfc2484cd3558bb4a0b40bb4bfc7c712204e1a0512b8f05d781b

    • Size

      111KB

    • MD5

      f7645c8ccdb09cfae8f70d5a8f84c078

    • SHA1

      6be336396334983b4b3d22de6fb02688475d8023

    • SHA256

      ba4ad55b9b84dfc2484cd3558bb4a0b40bb4bfc7c712204e1a0512b8f05d781b

    • SHA512

      d6588df16b488aef63e3abfdc46b16b66c1c949f6a62b68865510b682a035612e700a0653026f3e7b835f8a2cc58e58f153ef5a4ee021beead63db8b3d9ca1a0

    • SSDEEP

      3072:tiBtzo/hK6UeoiXLQemnmpMOKlSbnnfW5:GWhKjWXMemmOOKlWf

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks