General

  • Target

    ae59fdf5c21e0dede4be06c7f82c2597

  • Size

    24KB

  • Sample

    240229-m4bfnaeh5x

  • MD5

    ae59fdf5c21e0dede4be06c7f82c2597

  • SHA1

    2cb4d3ed40d4958a3e3e1ddfebfd42fc49affa17

  • SHA256

    7bc5235538284e3133614ad8992df1a6c758250c9afe4e6ba83a1aff4c11d579

  • SHA512

    c14c03e9d103b76623344e5b6b9d7f1da65dc352ce48a778519ab99fe475071d126b3fdd56cb4491197fd55e628728319a0e646295bc5971ebd08d55b04980b6

  • SSDEEP

    384:jn4rb34wknPfHM+Jcu8e7Orz210wAQu1kDVkuZvxEYRo+AM0dTYmPW5iF9cAHF:OoFMHl4azLTF1YkiJEYRo+DDYW0eAHF

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

karrar123.ddns.net:1177

Mutex

50c3e7591aec55d568f0177f1a3e4984

Attributes
  • reg_key

    50c3e7591aec55d568f0177f1a3e4984

  • splitter

    |'|'|

Targets

    • Target

      ddos.vbs

    • Size

      1.5MB

    • MD5

      5c9043e6d5d880c87bb2fb80a5723deb

    • SHA1

      aca5afc74bc860cb5e9c26002e9249fbd62d75cc

    • SHA256

      7205b3c6b53b979a326b63abef76d355647688f57d70f342968a3d6c584b17f0

    • SHA512

      c7fa0b46cb33017ffe5181df34f8e385b9d59e6b6773050d738342a27dcc2f7831dc62dc6a6c7cc48b50c0e82030f6a8ab8e7f882098eff9760e32fa945f6bf5

    • SSDEEP

      768:6gztz/OouIbXBvWBVTiN6+t5YoW1LevSPltuqXCpTIT/LIB8Ev/ZLtmXBE4wEhMW:6gM

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks