General

  • Target

    021b477ace5e87113272fd8b16830051.bin

  • Size

    184KB

  • Sample

    240228-bcnfcsfe7x

  • MD5

    021b477ace5e87113272fd8b16830051

  • SHA1

    d55ddb61b67e53245adc5bd12822ea56f1602820

  • SHA256

    e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd

  • SHA512

    ef8c8ff1ff3326848becef2615bd2a629dd1eced13c9b9776d75f3a5cfd2e913324422f806264126befdd0d6908d16be081218ab61fe20ef95111cf9a41c8817

  • SSDEEP

    3072:qUZiBJUB7JXbbkiTIR4JQffGaJNnN7SD+631zmh6Ty1:hiBWBdbkiTIR4ufGaJNnN7SC631zmh6+

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

18.ip.gl.ply.gg:43389

Mutex

4ac5522ba6619835b9ac056e603570c4

Attributes
  • reg_key

    4ac5522ba6619835b9ac056e603570c4

  • splitter

    |'|'|

Targets

    • Target

      021b477ace5e87113272fd8b16830051.bin

    • Size

      184KB

    • MD5

      021b477ace5e87113272fd8b16830051

    • SHA1

      d55ddb61b67e53245adc5bd12822ea56f1602820

    • SHA256

      e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd

    • SHA512

      ef8c8ff1ff3326848becef2615bd2a629dd1eced13c9b9776d75f3a5cfd2e913324422f806264126befdd0d6908d16be081218ab61fe20ef95111cf9a41c8817

    • SSDEEP

      3072:qUZiBJUB7JXbbkiTIR4JQffGaJNnN7SD+631zmh6Ty1:hiBWBdbkiTIR4ufGaJNnN7SC631zmh6+

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks