General

  • Target

    59c84b3bc89219d43110e17cee424aa6b967f4098be419045751c6a8266d99d4

  • Size

    8.7MB

  • Sample

    240430-2ayresba98

  • MD5

    9f300cda2b141af78c9e4f258ee646cb

  • SHA1

    809507d243b32dce09acd1ee16a12439bc9a38b3

  • SHA256

    59c84b3bc89219d43110e17cee424aa6b967f4098be419045751c6a8266d99d4

  • SHA512

    10a7c1c64f2c43e2a567c34c45914a1867937a843613b09e4ff68a079005ae6e4c7915bf718305e9598e92f92ae76615a4a6e0de0b563ac7b6f4c7ab7463da37

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbQ:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmc

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Targets

    • Target

      59c84b3bc89219d43110e17cee424aa6b967f4098be419045751c6a8266d99d4

    • Size

      8.7MB

    • MD5

      9f300cda2b141af78c9e4f258ee646cb

    • SHA1

      809507d243b32dce09acd1ee16a12439bc9a38b3

    • SHA256

      59c84b3bc89219d43110e17cee424aa6b967f4098be419045751c6a8266d99d4

    • SHA512

      10a7c1c64f2c43e2a567c34c45914a1867937a843613b09e4ff68a079005ae6e4c7915bf718305e9598e92f92ae76615a4a6e0de0b563ac7b6f4c7ab7463da37

    • SSDEEP

      196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbQ:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmc

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks