General

  • Target

    20B6DB4A05D7BE590AE26A9E373C7708.exe

  • Size

    23KB

  • Sample

    240221-1457xsga71

  • MD5

    20b6db4a05d7be590ae26a9e373c7708

  • SHA1

    7982c41e1b4c9bed0efb839a2d09e2134bf4c071

  • SHA256

    a03e517dd3772d7f304c77676c7cb50e5dbf146d67a4812eb2bf7ec9a9641520

  • SHA512

    0a9e1fa29e54cff6312a4d1b92c8978b6e934d940601c70896996fcb5144d603b6ab1fee1a78c55a29fb7f4c7d31fdcb0a462fd90882605119b2d2158273b8d3

  • SSDEEP

    384:Jc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZnV:7e9EJLN/yRpcnuq

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

amma.myftp.biz:1177

Mutex

5067798511594293a736c9b0b92fa333

Attributes
  • reg_key

    5067798511594293a736c9b0b92fa333

  • splitter

    |'|'|

Targets

    • Target

      20B6DB4A05D7BE590AE26A9E373C7708.exe

    • Size

      23KB

    • MD5

      20b6db4a05d7be590ae26a9e373c7708

    • SHA1

      7982c41e1b4c9bed0efb839a2d09e2134bf4c071

    • SHA256

      a03e517dd3772d7f304c77676c7cb50e5dbf146d67a4812eb2bf7ec9a9641520

    • SHA512

      0a9e1fa29e54cff6312a4d1b92c8978b6e934d940601c70896996fcb5144d603b6ab1fee1a78c55a29fb7f4c7d31fdcb0a462fd90882605119b2d2158273b8d3

    • SSDEEP

      384:Jc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZnV:7e9EJLN/yRpcnuq

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks