Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95

  • Size

    911KB

  • Sample

    221127-wt1ggace3v

  • MD5

    5947d179c77c96f7a4b174d277725383

  • SHA1

    f925ac6d657e01b5281c0cb1e5aaf01beddb8281

  • SHA256

    2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95

  • SHA512

    9625c7406a8f501996242bdffdef259f3804b23b6ddac53d74be2e3a4cd1ced12a0ab4bd91cf91dded4d9003f1bee7122c56d47ab54b9e48dbcea54522755fdf

  • SSDEEP

    12288:Atb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+r91G0X6A:Atb20pkaCqT5TBWgNQ7a+r9FX6A

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hamza

C2

rrs123.no-ip.org:60

Mutex

6188e1c717e994538c5502a5488c8d23

Attributes
  • reg_key

    6188e1c717e994538c5502a5488c8d23

  • splitter

    |'|'|

Targets

    • Target

      2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95

    • Size

      911KB

    • MD5

      5947d179c77c96f7a4b174d277725383

    • SHA1

      f925ac6d657e01b5281c0cb1e5aaf01beddb8281

    • SHA256

      2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95

    • SHA512

      9625c7406a8f501996242bdffdef259f3804b23b6ddac53d74be2e3a4cd1ced12a0ab4bd91cf91dded4d9003f1bee7122c56d47ab54b9e48dbcea54522755fdf

    • SSDEEP

      12288:Atb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+r91G0X6A:Atb20pkaCqT5TBWgNQ7a+r9FX6A

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks