General

  • Target

    Vikastart.exe

  • Size

    300KB

  • Sample

    240204-lhz2fsecd9

  • MD5

    23b4890371604997b7e48901d49025e6

  • SHA1

    e3161be5784d4e2999e28b3fd637c71b3d2bffe4

  • SHA256

    c35d91e2d4dbc130afb2d11901ffd72b7d5d29d7459324043b5c32d134f33ad7

  • SHA512

    63f8dff6f7d6886ebdd58c807862feb176ddd55c2e75ec3fee2935046e4d55ceaee8021b0c1a7c07f38a7a1b0a06492ae811a1ffa988e695ce05a1b0fb68ed55

  • SSDEEP

    6144:b4KlcJqDSB00ulESj3I9mlSLyqRuAHhL5sw0O:cgcE2B00uvj3IBuOq

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Tupoy

C2

127.0.0.1:17210

Mutex

61dd081a412f5774313c2d7466838144

Attributes
  • reg_key

    61dd081a412f5774313c2d7466838144

  • splitter

    |'|'|

Targets

    • Target

      Vikastart.exe

    • Size

      300KB

    • MD5

      23b4890371604997b7e48901d49025e6

    • SHA1

      e3161be5784d4e2999e28b3fd637c71b3d2bffe4

    • SHA256

      c35d91e2d4dbc130afb2d11901ffd72b7d5d29d7459324043b5c32d134f33ad7

    • SHA512

      63f8dff6f7d6886ebdd58c807862feb176ddd55c2e75ec3fee2935046e4d55ceaee8021b0c1a7c07f38a7a1b0a06492ae811a1ffa988e695ce05a1b0fb68ed55

    • SSDEEP

      6144:b4KlcJqDSB00ulESj3I9mlSLyqRuAHhL5sw0O:cgcE2B00uvj3IBuOq

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks