General
-
Target
197728e9fa403b56d6a828f6c61a7fa2.exe
-
Size
53KB
-
Sample
231010-jwjkhsca31
-
MD5
197728e9fa403b56d6a828f6c61a7fa2
-
SHA1
5960b7a711667a45d514d6bc64b5712af077ce0f
-
SHA256
a738aa809de5422ea520bc97c1c3082028d04b71fdbb5c7af61b93ed2a701a18
-
SHA512
e3d157206465a9bc268a856c5bde3e0d83b06b4b7a678f69d87c9a46f73a1e03024b6da97637af5e0108d82765c05b3aaa97ac75aa40547fa6bdddf4dcbd6ea1
-
SSDEEP
768:ebgJlLJfcPCojPysItrM+rMRa8NuAXtVWsw1PDfhz8VUT:ebgJlLJUJjP2W+gRJN7Jw1PbV
Malware Config
Extracted
njrat
im523
HacKed
6.tcp.eu.ngrok.io:10922
546af47cbd4280c217681fb9fee74971
-
reg_key
546af47cbd4280c217681fb9fee74971
-
splitter
|'|'|
Targets
-
-
Target
197728e9fa403b56d6a828f6c61a7fa2.exe
-
Size
53KB
-
MD5
197728e9fa403b56d6a828f6c61a7fa2
-
SHA1
5960b7a711667a45d514d6bc64b5712af077ce0f
-
SHA256
a738aa809de5422ea520bc97c1c3082028d04b71fdbb5c7af61b93ed2a701a18
-
SHA512
e3d157206465a9bc268a856c5bde3e0d83b06b4b7a678f69d87c9a46f73a1e03024b6da97637af5e0108d82765c05b3aaa97ac75aa40547fa6bdddf4dcbd6ea1
-
SSDEEP
768:ebgJlLJfcPCojPysItrM+rMRa8NuAXtVWsw1PDfhz8VUT:ebgJlLJUJjP2W+gRJN7Jw1PbV
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1