General

  • Target

    0x000f000000015c98-6.dat

  • Size

    37KB

  • Sample

    240301-ap2yvagh49

  • MD5

    0412cda3646ee3de6ba970f25c12078c

  • SHA1

    8253de37b97a87a4fb4fdaa2598482430406a885

  • SHA256

    04e0fbb43e406c2b5e30d7ceb07bfcab2874d10cd7538de8b7dac1cf55a4aff5

  • SHA512

    986e0e035bd19b3c86f7a2f4fc858e78680eb8a436ce510f9075d3b38645bf3a543f085305dc103a7c73b77c3dfa2ea92c33ecfaad034041dda8e10478d54490

  • SSDEEP

    384:JY23hUidkGXR21cGMy8Pqq53tGFlymTXrAF+rMRTyN/0L+EcoinblneHQM3epzXO:y23ZLGv8Pqq58imzrM+rMRa8Nusht

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

4.tcp.eu.ngrok.io:17426

Mutex

e0192d0675795a229df23bf72b5e07ce

Attributes
  • reg_key

    e0192d0675795a229df23bf72b5e07ce

  • splitter

    |'|'|

Targets

    • Target

      0x000f000000015c98-6.dat

    • Size

      37KB

    • MD5

      0412cda3646ee3de6ba970f25c12078c

    • SHA1

      8253de37b97a87a4fb4fdaa2598482430406a885

    • SHA256

      04e0fbb43e406c2b5e30d7ceb07bfcab2874d10cd7538de8b7dac1cf55a4aff5

    • SHA512

      986e0e035bd19b3c86f7a2f4fc858e78680eb8a436ce510f9075d3b38645bf3a543f085305dc103a7c73b77c3dfa2ea92c33ecfaad034041dda8e10478d54490

    • SSDEEP

      384:JY23hUidkGXR21cGMy8Pqq53tGFlymTXrAF+rMRTyN/0L+EcoinblneHQM3epzXO:y23ZLGv8Pqq58imzrM+rMRa8Nusht

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks