General

  • Target

    b9574984729abfaa4a76c1a21a8c485c

  • Size

    1.2MB

  • Sample

    240307-wrqjgshh85

  • MD5

    b9574984729abfaa4a76c1a21a8c485c

  • SHA1

    c55609842af74ce9b42db12c1e6c197e5e88cbbe

  • SHA256

    e640510fdf17bfbfdb60da29e9aaac63d3bf99af981145480ba1c98799f775db

  • SHA512

    05ab8800ce9036c40cff6f46a08367ebe811338b1ea38415f71cf80fc530811a1073b91d148b09e8a9f32cf34c36f34ed1d4658af8ea517f97fb05853caf4b62

  • SSDEEP

    24576:VnGXgJMzgGOq+M4gZFni6TtvM9z1SIrZrXBKAnkwfRwhjSeZXNMRYnRRY:VFCzvEgZFiOE51SIrdRZkwfRwh+qdMRv

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hvbhj.duckdns.org:1177

Mutex

329d8a4cbf2381f319c18339a2cdf5ec

Attributes
  • reg_key

    329d8a4cbf2381f319c18339a2cdf5ec

  • splitter

    |'|'|

Targets

    • Target

      b9574984729abfaa4a76c1a21a8c485c

    • Size

      1.2MB

    • MD5

      b9574984729abfaa4a76c1a21a8c485c

    • SHA1

      c55609842af74ce9b42db12c1e6c197e5e88cbbe

    • SHA256

      e640510fdf17bfbfdb60da29e9aaac63d3bf99af981145480ba1c98799f775db

    • SHA512

      05ab8800ce9036c40cff6f46a08367ebe811338b1ea38415f71cf80fc530811a1073b91d148b09e8a9f32cf34c36f34ed1d4658af8ea517f97fb05853caf4b62

    • SSDEEP

      24576:VnGXgJMzgGOq+M4gZFni6TtvM9z1SIrZrXBKAnkwfRwhjSeZXNMRYnRRY:VFCzvEgZFiOE51SIrdRZkwfRwh+qdMRv

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks