General

  • Target

    a640364846274e9da426b560a4df12dc.bin

  • Size

    36KB

  • Sample

    230723-cht1rsde7w

  • MD5

    29d0452d26bc1a1bd41f55b535a79c3f

  • SHA1

    a12af5f0d9ed53aa538f9b62de3e7f13eaf1b9bf

  • SHA256

    209b241c35376f2954b4a7ef74062da06d5e8d3cb4c75244e3d7c075bf62290b

  • SHA512

    1fd22f9ab580994377abf3dd82c3f69e09a8b365cdcb21b5a2bb7982afcbf3a3c46d4df8851b90b6bdde9b7fb32fb2876eb37ae778f3c1135669787baa57a0c8

  • SSDEEP

    768:K54A/giaMrYyE3GNODROVUx/Z8MtQ2hEoFvg5/+MI1sWvQ6yQ:KOmUx3608VSx8MeS1Fvg5mLFvQRQ

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

todosnj4343.duckdns.org:4343

Mutex

91870a25e1f

Attributes
  • reg_key

    91870a25e1f

  • splitter

    @!#&^%$

Targets

    • Target

      2ef96a32a575cbef0ac72b1e301112e6f82cab710167ef70a7bc0b77fda1f457.vbs

    • Size

      385KB

    • MD5

      a640364846274e9da426b560a4df12dc

    • SHA1

      f88328cc6f8907ab700f845542f17ccf3cd677c2

    • SHA256

      2ef96a32a575cbef0ac72b1e301112e6f82cab710167ef70a7bc0b77fda1f457

    • SHA512

      bd8bbd2647a043ebf47302c538a7d09c7da7ac0c46117ce0a50a7c2a74f63203be4fe2a4547dbc38b8399acccaef7e6dac078f21bcc7fe62babb9371505937ce

    • SSDEEP

      3072:35XNsn1+7HLDVZeMxzakxTOvsp7zSty8NxF50hfp/TIYbdHznXmxLJIrCsS4CYuC:4n+SMxzakB2ty8NxF50hfp/TR

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks