General

  • Target

    tmp

  • Size

    93KB

  • Sample

    240222-hgw2madf8s

  • MD5

    701061274a68a71561cf2ec0a1332635

  • SHA1

    f83da28647230602bb88461341a052bef651cbd5

  • SHA256

    10e012b7d6d88eba23bc9ba0ae4ee9cb299a1f688fb8ccac9c1f03319e0a7575

  • SHA512

    ed5fc6fe6b82fefeb943c1cb20fdac7e01d43784a3cbd4fe88f7ea5cebe014609585ee354b3382ed822969f8ba453b9fa8b197acd2f110a664e6ff65e1412d7f

  • SSDEEP

    1536:MI4JD/HBZbszKu9AZpE7r1jEwzGi1dDoDjgS:MI3zK4AZCHCi1d+c

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

hakim32.ddns.net:2000

45.142.182.104:4568

Mutex

8176ddd3532710782091cb4edeb4cd62

Attributes
  • reg_key

    8176ddd3532710782091cb4edeb4cd62

  • splitter

    |'|'|

Targets

    • Target

      tmp

    • Size

      93KB

    • MD5

      701061274a68a71561cf2ec0a1332635

    • SHA1

      f83da28647230602bb88461341a052bef651cbd5

    • SHA256

      10e012b7d6d88eba23bc9ba0ae4ee9cb299a1f688fb8ccac9c1f03319e0a7575

    • SHA512

      ed5fc6fe6b82fefeb943c1cb20fdac7e01d43784a3cbd4fe88f7ea5cebe014609585ee354b3382ed822969f8ba453b9fa8b197acd2f110a664e6ff65e1412d7f

    • SSDEEP

      1536:MI4JD/HBZbszKu9AZpE7r1jEwzGi1dDoDjgS:MI3zK4AZCHCi1d+c

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks