General

  • Target

    a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

  • Size

    23KB

  • Sample

    230901-yay6eahe56

  • MD5

    a65150c7e6a1470efdeb95b92e40a5ea

  • SHA1

    0e876d2c5da0ce4f7887af1f1b48272c13aaf3ec

  • SHA256

    f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc

  • SHA512

    a29eb17ff452f54dc0f273114c769f64bcf8aadcf129cc49555905120c7cdb58a8ce06e77852414782c84c2b13cf9118095e5985e33910b655db0c603e228312

  • SSDEEP

    384:upc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZAz:ube9EJLN/yRpcnuF

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

0.tcp.sa.ngrok.io:19096

Mutex

27f71527bed7617b3e2e3f3ed8ecf225

Attributes
  • reg_key

    27f71527bed7617b3e2e3f3ed8ecf225

  • splitter

    |'|'|

Targets

    • Target

      a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

    • Size

      23KB

    • MD5

      a65150c7e6a1470efdeb95b92e40a5ea

    • SHA1

      0e876d2c5da0ce4f7887af1f1b48272c13aaf3ec

    • SHA256

      f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc

    • SHA512

      a29eb17ff452f54dc0f273114c769f64bcf8aadcf129cc49555905120c7cdb58a8ce06e77852414782c84c2b13cf9118095e5985e33910b655db0c603e228312

    • SSDEEP

      384:upc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZAz:ube9EJLN/yRpcnuF

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks