General

  • Target

    aa93d1d3cfa1ecf60082ceda795985ab

  • Size

    744KB

  • Sample

    240228-a435fsfc39

  • MD5

    aa93d1d3cfa1ecf60082ceda795985ab

  • SHA1

    1adf64271ddf24d326c1bc160d5070bc991b4021

  • SHA256

    df76b66e92d2d5f0b35e9d8b67a65f2e967ac7502013496e9e241ef510ffad29

  • SHA512

    bd76f23500f9b155c6d107e560ca536cb6a6d48ef1d437de16ea92658900cd1a1e422d4319681328d468f5ef2394fe7264d3524b2db97755dd3bea376967bcdd

  • SSDEEP

    12288:MwpS8dnIxjwclTapkjXuUALG3u/7LimWQHtJu0qqvxqNzoDvjsQjWLad:Mkjtcl2wG5

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

hadesfirst.ddns.net:8080

Mutex

ac1301b9b133e3be40f0e6bf4bb5ded8

Attributes
  • reg_key

    ac1301b9b133e3be40f0e6bf4bb5ded8

  • splitter

    |'|'|

Targets

    • Target

      aa93d1d3cfa1ecf60082ceda795985ab

    • Size

      744KB

    • MD5

      aa93d1d3cfa1ecf60082ceda795985ab

    • SHA1

      1adf64271ddf24d326c1bc160d5070bc991b4021

    • SHA256

      df76b66e92d2d5f0b35e9d8b67a65f2e967ac7502013496e9e241ef510ffad29

    • SHA512

      bd76f23500f9b155c6d107e560ca536cb6a6d48ef1d437de16ea92658900cd1a1e422d4319681328d468f5ef2394fe7264d3524b2db97755dd3bea376967bcdd

    • SSDEEP

      12288:MwpS8dnIxjwclTapkjXuUALG3u/7LimWQHtJu0qqvxqNzoDvjsQjWLad:Mkjtcl2wG5

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks