General

  • Target

    381becb3f2f25ba825d41c28db60d72fc2b14b39d62f9e8941b6fd2f8851b178

  • Size

    8.7MB

  • Sample

    240414-zgaxtsfh7w

  • MD5

    be4638fbc8507f2cbc8030d0d834dadd

  • SHA1

    3cd76929a7acae1230732522056dc90b8b403916

  • SHA256

    381becb3f2f25ba825d41c28db60d72fc2b14b39d62f9e8941b6fd2f8851b178

  • SHA512

    2108b2fbca8d4ba5f681e9649a7928ce2b2c49aaa08e62f6139d20840b715b8ff8d7270302e37773302093ed5d3038ff4cb8580a8ee487e21f47494e8a3ffaa2

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbK:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Targets

    • Target

      381becb3f2f25ba825d41c28db60d72fc2b14b39d62f9e8941b6fd2f8851b178

    • Size

      8.7MB

    • MD5

      be4638fbc8507f2cbc8030d0d834dadd

    • SHA1

      3cd76929a7acae1230732522056dc90b8b403916

    • SHA256

      381becb3f2f25ba825d41c28db60d72fc2b14b39d62f9e8941b6fd2f8851b178

    • SHA512

      2108b2fbca8d4ba5f681e9649a7928ce2b2c49aaa08e62f6139d20840b715b8ff8d7270302e37773302093ed5d3038ff4cb8580a8ee487e21f47494e8a3ffaa2

    • SSDEEP

      196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbK:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks