General

  • Target

    7b30da10dc4c0d9f3a452069b582b532

  • Size

    2.8MB

  • Sample

    240127-y5wc1adbcm

  • MD5

    7b30da10dc4c0d9f3a452069b582b532

  • SHA1

    2225afc63c009b23d9267ca5d4c7989dd5b11f2c

  • SHA256

    2244b3a51771eaffdfe019774f5aeb8c916342e393e766d4bf794e279cf9af1e

  • SHA512

    28b97cc62a19532f068fd7f33e664d5b131ddd287cb948d0d1576c084f4a62a92944a0034c6c211f080d14c5897d0e46869ce28e5dd423b08d6b3ab98c1fd2e9

  • SSDEEP

    1536:8MnnAmKW2Pf38oAQ8gBjFv4m99BpCDPYH:XAmKW2Pf38oAQ8gBjFv4m99BpCDPYH

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Client

C2

dontreachme3.ddns.net:3604

Mutex

EdgeBrowser.exe

Attributes
  • reg_key

    EdgeBrowser.exe

  • splitter

    123

Targets

    • Target

      7b30da10dc4c0d9f3a452069b582b532

    • Size

      2.8MB

    • MD5

      7b30da10dc4c0d9f3a452069b582b532

    • SHA1

      2225afc63c009b23d9267ca5d4c7989dd5b11f2c

    • SHA256

      2244b3a51771eaffdfe019774f5aeb8c916342e393e766d4bf794e279cf9af1e

    • SHA512

      28b97cc62a19532f068fd7f33e664d5b131ddd287cb948d0d1576c084f4a62a92944a0034c6c211f080d14c5897d0e46869ce28e5dd423b08d6b3ab98c1fd2e9

    • SSDEEP

      1536:8MnnAmKW2Pf38oAQ8gBjFv4m99BpCDPYH:XAmKW2Pf38oAQ8gBjFv4m99BpCDPYH

    • Modifies Windows Defender Real-time Protection settings

    • Turns off Windows Defender SpyNet reporting

    • UAC bypass

    • Windows security bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Looks for VirtualBox Guest Additions in registry

    • Nirsoft

    • Looks for VMWare Tools registry key

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks