General
-
Target
233542a5a45357568fc6cd9d4559362afcefa19291617e0995a195586f4bd2f8
-
Size
16KB
-
Sample
240419-vasf3sae5z
-
MD5
806576467b51c792f7a5e0b3b03dda38
-
SHA1
d259459ddb4fdeef98599644b67b81782154075d
-
SHA256
233542a5a45357568fc6cd9d4559362afcefa19291617e0995a195586f4bd2f8
-
SHA512
05246bd0e98ec0fd5e0f0c36edec878fabfd8480d9153966d6f29650df7c8baf01164e1e5e20e34cb1bd38ec90afca96eb53df315561c34c83971138ddf0be19
-
SSDEEP
384:Oq26/zPZuj5+lFV086o4hODRYoftWUD9bK9jnL+hwHLZWPoF9Prfagoz:Oq17PYj5+lFGdhQ3RuL+hwHL3M3z
Malware Config
Extracted
njrat
im523
HacKed
5.tcp.eu.ngrok.io:11024
886e4e6cf55be20a7d674097273f111d
-
reg_key
886e4e6cf55be20a7d674097273f111d
-
splitter
|'|'|
Targets
-
-
Target
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
-
Size
37KB
-
MD5
871722db5b9b702357b675e48e491193
-
SHA1
ec5cf5b57414fa8253a842bb06fc6822b85e399d
-
SHA256
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8
-
SHA512
9757a9bfc13b23a30590dfc145f837c22fffad56f1c47ca7354ddded78c8afc2418b0a5ce0f0add6aaf59354355577141a1b05115b8faf5d978445570a58b478
-
SSDEEP
384:GstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzXIf:5tiHpR9Ef7JsQCFiArM+rMRa8NuCFt
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1