General
-
Target
NEAS.007fbc697964a52d5103610ce0ca8e40_JC.exe
-
Size
204KB
-
Sample
231104-m2yheaaf34
-
MD5
007fbc697964a52d5103610ce0ca8e40
-
SHA1
648d51f7117de38bde522f1bba7b89a3a89923ed
-
SHA256
a4c6094dac4ca23ecef676ac4ea1ac024b08e18f570f7814e15eb0578e8d0794
-
SHA512
5e4dc6ccc4cdc930fb92796f984875b84eb51b1ce612211491b9b737af290ff5625e0b17fc4169a6762664902f81f29d4ed114170ca2f11d40cfed7422f518e9
-
SSDEEP
1536:ipDV/xr9OVsEasEhVnghdD8yz6J85GG90u5OEyaSongxYz9wd7Y3Yycn3OqBCVi3:ipDV/xr9OVLxN5Gzarbzs7GqBOWWH2J
Malware Config
Extracted
njrat
0.6.4
HacKed
127.0.0.1:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Targets
-
-
Target
NEAS.007fbc697964a52d5103610ce0ca8e40_JC.exe
-
Size
204KB
-
MD5
007fbc697964a52d5103610ce0ca8e40
-
SHA1
648d51f7117de38bde522f1bba7b89a3a89923ed
-
SHA256
a4c6094dac4ca23ecef676ac4ea1ac024b08e18f570f7814e15eb0578e8d0794
-
SHA512
5e4dc6ccc4cdc930fb92796f984875b84eb51b1ce612211491b9b737af290ff5625e0b17fc4169a6762664902f81f29d4ed114170ca2f11d40cfed7422f518e9
-
SSDEEP
1536:ipDV/xr9OVsEasEhVnghdD8yz6J85GG90u5OEyaSongxYz9wd7Y3Yycn3OqBCVi3:ipDV/xr9OVLxN5Gzarbzs7GqBOWWH2J
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1