General

  • Target

    Remcos Professional Cracked By Alcatraz3222.exe

  • Size

    17.7MB

  • Sample

    230321-n1vwkaab36

  • MD5

    efc159c7cf75545997f8c6af52d3e802

  • SHA1

    b85bd368c91a13db1c5de2326deb25ad666c24c1

  • SHA256

    898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

  • SHA512

    d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

  • SSDEEP

    393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes
  • reg_key

    3b570ffeeb3d34249b9a5ce0ee58a328

  • splitter

    svchost

Targets

    • Target

      Remcos Professional Cracked By Alcatraz3222.exe

    • Size

      17.7MB

    • MD5

      efc159c7cf75545997f8c6af52d3e802

    • SHA1

      b85bd368c91a13db1c5de2326deb25ad666c24c1

    • SHA256

      898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

    • SHA512

      d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

    • SSDEEP

      393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks