General

  • Target

    16045e27c2555159200589060b0ee82a.bin

  • Size

    616B

  • Sample

    240302-bdc11sgb92

  • MD5

    e35d33958a233ca30f84addada1f4a89

  • SHA1

    fdad9d028954ab155d821b94813a579fb0ee2557

  • SHA256

    6b3df70baeadb1183258d4d302af6c59594e90353c67e927b7db34a102cc14e7

  • SHA512

    870b17532fc2ee1f1ce34f40364922fe3f07b0a274fcbbac4abfd78e2fc46f3e87656a74e87a2de2a187d676ec680038fdb55b435d957df9b6050fff844cde62

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

njnjnjs.duckdns.org:35888

Mutex

6515f0beea

Attributes
  • reg_key

    6515f0beea

  • splitter

    @!#&^%$

Targets

    • Target

      817fba874f30c7aa12e95ac1c7d4956679ed1eedec1976103036c87d6725cbfb.vbs

    • Size

      1KB

    • MD5

      16045e27c2555159200589060b0ee82a

    • SHA1

      e60fbff5f9387c47fa3cdf9adfb80709f16537c5

    • SHA256

      817fba874f30c7aa12e95ac1c7d4956679ed1eedec1976103036c87d6725cbfb

    • SHA512

      a2bad1a4d651671e62d6d713aba5ad31c838d9388dc9f2abd39c24bcd5e999b2ca8f52d6b28b1523c87912df0d4cb12d1c0b12b6410ce9f617df56bee1f3a43c

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks