General

  • Target

    13b460b8f80beb10be21a06da0688fb1

  • Size

    813KB

  • Sample

    231230-kp9zkaefd7

  • MD5

    13b460b8f80beb10be21a06da0688fb1

  • SHA1

    516a1888c5549b0a8bce51460dfe22dc1cc72171

  • SHA256

    73e593d15b334bead509f7063782f835c5375e1ff184ff46797145c95e201f4d

  • SHA512

    7fda7acac1197f79e5e0117dcd408f1ae8820e438c736b29a28512cbaa15c5f715efca1e89feb3ca21392538c4ae8e420db4b0623cbefd39c3ee3d6a24b2af25

  • SSDEEP

    12288:nynw9K+aZ1wMbyGZI6czU2ai6D3h0kaHHMl8Hs2gX5uVj+9vJ/nXLr:y1+IAai6DbanzZss+9lbr

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2021$$$

C2

194.5.98.210:4040

Mutex

0ef5de3f5b1fb89677ba03e41fa0a05a

Attributes
  • reg_key

    0ef5de3f5b1fb89677ba03e41fa0a05a

  • splitter

    |'|'|

Targets

    • Target

      13b460b8f80beb10be21a06da0688fb1

    • Size

      813KB

    • MD5

      13b460b8f80beb10be21a06da0688fb1

    • SHA1

      516a1888c5549b0a8bce51460dfe22dc1cc72171

    • SHA256

      73e593d15b334bead509f7063782f835c5375e1ff184ff46797145c95e201f4d

    • SHA512

      7fda7acac1197f79e5e0117dcd408f1ae8820e438c736b29a28512cbaa15c5f715efca1e89feb3ca21392538c4ae8e420db4b0623cbefd39c3ee3d6a24b2af25

    • SSDEEP

      12288:nynw9K+aZ1wMbyGZI6czU2ai6D3h0kaHHMl8Hs2gX5uVj+9vJ/nXLr:y1+IAai6DbanzZss+9lbr

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks