Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a09a3b6b6bea6ef91aef5d0dd4581b88.bin

  • Size

    18KB

  • Sample

    240122-c569lsfbe7

  • MD5

    f16a34d67a40b66f2595de4b485b3ef8

  • SHA1

    0af910b1733db7dbbdc2aaf0ab9442203debdc89

  • SHA256

    2016387ced33889b3ee002b9ff9f7dfcd91ae2b1358f96279488265e44bc0770

  • SHA512

    4f329333c4eaac8429f6732436b4a7d48c3b8a1fa370bfa49e90c91588ba84c4034721bc5858f135828169a84a4a1f658c90db2cef2b1d0274a6be5156713fb3

  • SSDEEP

    384:EitLEhMqRI6pohxvP7o0twLy3Z6oaCAhRjoke1YD0Ev5NEFOmxcnc:FLE6YIeonP70GZ6vb8ke1YAI5iQmxcc

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

4.tcp.eu.ngrok.io:10929

Mutex

39b05030c645f6e80bce801caf1f7d61

Attributes
  • reg_key

    39b05030c645f6e80bce801caf1f7d61

  • splitter

    |'|'|

Targets

    • Target

      6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25.exe

    • Size

      103KB

    • MD5

      a09a3b6b6bea6ef91aef5d0dd4581b88

    • SHA1

      098ed5d82ade538154634a9f44d8f91607c23392

    • SHA256

      6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25

    • SHA512

      42c383b30292cb2521f70e3dcc30b96553e50866ab965f9304bf2808d90ea4be01efa12d380f6d9b76ffe57f09974d5563e5a6018a2009328ce18a25b4b3d1f8

    • SSDEEP

      384:y4n/7AKiwBiaJzN5BLiFI4yUvcP3vr042r49ZrAF+rMRTyN/0L+EcoinblneHQMs://hXP5TUvcPgl4HrM+rMRa8Nup0t

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks