General

  • Target

    db632c945b6a032e8d731e05859041965696bab877af546c13e5a7c7d06b0d9b

  • Size

    620KB

  • Sample

    240126-mm3htabfa7

  • MD5

    9722988f8586fbe48e1cfb5be278de76

  • SHA1

    c88d975dd5df83ecb8f4dd29da261335726378a4

  • SHA256

    db632c945b6a032e8d731e05859041965696bab877af546c13e5a7c7d06b0d9b

  • SHA512

    ffc1dbf49fcda55ba4ea99b5e6ed3147ceb11b6a6e0c720a3eef30b023ecbf4348b247e1ddb0893392bfdfdcd8b00b25308c7a300e8207c059a785de4c854bc2

  • SSDEEP

    12288:nBdlwHRn+WlYV+1MOzh01OvYhTIanY/6mn8MOUfXKPC:nBkVdlYAthZY1zm8MxfuC

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

png

C2

127.0.0.1:7777

Mutex

png.exe

Attributes
  • reg_key

    png.exe

  • splitter

    |Ghost|

Targets

    • Target

      db632c945b6a032e8d731e05859041965696bab877af546c13e5a7c7d06b0d9b

    • Size

      620KB

    • MD5

      9722988f8586fbe48e1cfb5be278de76

    • SHA1

      c88d975dd5df83ecb8f4dd29da261335726378a4

    • SHA256

      db632c945b6a032e8d731e05859041965696bab877af546c13e5a7c7d06b0d9b

    • SHA512

      ffc1dbf49fcda55ba4ea99b5e6ed3147ceb11b6a6e0c720a3eef30b023ecbf4348b247e1ddb0893392bfdfdcd8b00b25308c7a300e8207c059a785de4c854bc2

    • SSDEEP

      12288:nBdlwHRn+WlYV+1MOzh01OvYhTIanY/6mn8MOUfXKPC:nBkVdlYAthZY1zm8MxfuC

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks