General

  • Target

    7b8fa46b72e383ad837d382bbfedcfcb

  • Size

    14.1MB

  • Sample

    240127-3far8aeec9

  • MD5

    7b8fa46b72e383ad837d382bbfedcfcb

  • SHA1

    8d42f0b9199ba8c336f26fda6b4d2c398ad8a013

  • SHA256

    6ee9c9d3a1c250a9d271a9a0ce113427bd4f5bd591cd5f1946ec5f064c35beec

  • SHA512

    61ff31920ec2774780d9a381dcbe5b97268803eea3cf45ac51f24b29cec1df545b8a4f930b2055cfd92c4b7b41f1984bfc2dc0945e3062f57356243c1bc6b10c

  • SSDEEP

    196608:yA6TS+uUdI5FqYWQi6D05vvG1KeQW9EfvIeo0PAzLBYZU7cca0hSif:y/e9U6rvb50xg0iYdsCZOcca0w2

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

566

C2

hakim32.ddns.net:2000

192.168.0.23:1604

Mutex

68234368da23b4c12442a5f1ebf604c9

Attributes
  • reg_key

    68234368da23b4c12442a5f1ebf604c9

  • splitter

    |'|'|

Targets

    • Target

      7b8fa46b72e383ad837d382bbfedcfcb

    • Size

      14.1MB

    • MD5

      7b8fa46b72e383ad837d382bbfedcfcb

    • SHA1

      8d42f0b9199ba8c336f26fda6b4d2c398ad8a013

    • SHA256

      6ee9c9d3a1c250a9d271a9a0ce113427bd4f5bd591cd5f1946ec5f064c35beec

    • SHA512

      61ff31920ec2774780d9a381dcbe5b97268803eea3cf45ac51f24b29cec1df545b8a4f930b2055cfd92c4b7b41f1984bfc2dc0945e3062f57356243c1bc6b10c

    • SSDEEP

      196608:yA6TS+uUdI5FqYWQi6D05vvG1KeQW9EfvIeo0PAzLBYZU7cca0hSif:y/e9U6rvb50xg0iYdsCZOcca0w2

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks