General

  • Target

    Net amp.EXE

  • Size

    7.1MB

  • Sample

    231218-yw2tesfac7

  • MD5

    523f1694af7ecfe6cf06b0db19cce834

  • SHA1

    da8bd2e5656f40d183b5f1c263a3e121fe63454f

  • SHA256

    b79a1275b2ea72d2c67cf5377241ab159d2f5dd523f811196c16d50f4e65cf5c

  • SHA512

    1c3c20e71c7f57e012025aa2d2e68f3e3fca46f7d092b736dd91ce5d2324436e25f6b409952561cef853fd92ab57deabefbd6161fbaf5cbe2151861711afaa45

  • SSDEEP

    98304:b3ccU6R7ReNhraV5eKRtHIHWQOSxjDJWxfBQPEtJ8PRmzqopxDYtBRayyajln2HG:TK6lwNhmO0YoGjDi+a7DsjlSPPni2zE

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

samoda

C2

16.ip.gl.ply.gg:3958

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      Net amp.EXE

    • Size

      7.1MB

    • MD5

      523f1694af7ecfe6cf06b0db19cce834

    • SHA1

      da8bd2e5656f40d183b5f1c263a3e121fe63454f

    • SHA256

      b79a1275b2ea72d2c67cf5377241ab159d2f5dd523f811196c16d50f4e65cf5c

    • SHA512

      1c3c20e71c7f57e012025aa2d2e68f3e3fca46f7d092b736dd91ce5d2324436e25f6b409952561cef853fd92ab57deabefbd6161fbaf5cbe2151861711afaa45

    • SSDEEP

      98304:b3ccU6R7ReNhraV5eKRtHIHWQOSxjDJWxfBQPEtJ8PRmzqopxDYtBRayyajln2HG:TK6lwNhmO0YoGjDi+a7DsjlSPPni2zE

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks