General
-
Target
weindows.exe
-
Size
176KB
-
Sample
240403-m6532scd5t
-
MD5
ac47bb114fb65162b0f4ffbbf38d32b3
-
SHA1
bdf3c7b29e4e2849d67124a591e65b0847694efc
-
SHA256
2c0427ceda20b5d73dffa07edc425418ca4e90aac2869a148caddec998161557
-
SHA512
8cda57232a30f35dfa93f18c2b3b494f6158e1fa538fb193599bc3ff35f92ef7a817134ad3d970b6bebc144bfc99c40750a4f054129dc5bd9345ed6944984153
-
SSDEEP
3072:VN9qnld1FjG6H1w53Wp/9z2k9Hc3/nl6LAHkzI1UEgEA6IIyRt:VN65FjG6E3c9yk96dAD
Malware Config
Extracted
njrat
0.7.3
Lime
0.tcp.eu.ngrok.io:17797
svshost.exe
-
reg_key
svshost.exe
-
splitter
DarkNET
Targets
-
-
Target
weindows.exe
-
Size
176KB
-
MD5
ac47bb114fb65162b0f4ffbbf38d32b3
-
SHA1
bdf3c7b29e4e2849d67124a591e65b0847694efc
-
SHA256
2c0427ceda20b5d73dffa07edc425418ca4e90aac2869a148caddec998161557
-
SHA512
8cda57232a30f35dfa93f18c2b3b494f6158e1fa538fb193599bc3ff35f92ef7a817134ad3d970b6bebc144bfc99c40750a4f054129dc5bd9345ed6944984153
-
SSDEEP
3072:VN9qnld1FjG6H1w53Wp/9z2k9Hc3/nl6LAHkzI1UEgEA6IIyRt:VN65FjG6E3c9yk96dAD
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Renames multiple (1345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-