Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ea8eebeb8b6b807f3bc924391e7fbceb046eec38ded21006ee921bd52f2347d9

  • Size

    195KB

  • Sample

    240121-zan6wahfdn

  • MD5

    76e57bb03c3ed6f74431d2a0d3a9af30

  • SHA1

    680b6f4f9026c56048794e39d1f2396d5389305a

  • SHA256

    ea8eebeb8b6b807f3bc924391e7fbceb046eec38ded21006ee921bd52f2347d9

  • SHA512

    35ce1722751d2a4b19ad51adc489651ca5cdecde7a42962311234373b39c8b258814aeab4975e68a259298340640ce10a0b357653292556bd6425a263c05e7d8

  • SSDEEP

    3072:8xT6Jh+yJFg1Mr8b4bSPGEYmf34Rs7+S:8T6qT6S4nVmwRo

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

0.tcp.eu.ngrok.io:16603

Mutex

fef28429a4f072630b0637e4c19aa107

Attributes
  • reg_key

    fef28429a4f072630b0637e4c19aa107

  • splitter

    |'|'|

Targets

    • Target

      ea8eebeb8b6b807f3bc924391e7fbceb046eec38ded21006ee921bd52f2347d9

    • Size

      195KB

    • MD5

      76e57bb03c3ed6f74431d2a0d3a9af30

    • SHA1

      680b6f4f9026c56048794e39d1f2396d5389305a

    • SHA256

      ea8eebeb8b6b807f3bc924391e7fbceb046eec38ded21006ee921bd52f2347d9

    • SHA512

      35ce1722751d2a4b19ad51adc489651ca5cdecde7a42962311234373b39c8b258814aeab4975e68a259298340640ce10a0b357653292556bd6425a263c05e7d8

    • SSDEEP

      3072:8xT6Jh+yJFg1Mr8b4bSPGEYmf34Rs7+S:8T6qT6S4nVmwRo

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks