General

  • Target

    a919a72ddb960735594d0f4531a33c4b80bac29743ede429cff0c6b87f4c8b5e

  • Size

    43KB

  • Sample

    240501-rt9mxshb3t

  • MD5

    378532ba8c8073c2639528b08b15047b

  • SHA1

    3e5edec6cf81e91ef76f709b809594065c57f35c

  • SHA256

    a919a72ddb960735594d0f4531a33c4b80bac29743ede429cff0c6b87f4c8b5e

  • SHA512

    0cff469b5e8a9e9ff1cfceb6ac60ceebcc02fe351a68e1fbec7e2437b0d6471d5560f1ad04a8af385731a69bfa15b3c134bbf5a363888c6ef244d6604d6fa874

  • SSDEEP

    384:WZyOu1Cj8syWnvr62SneEXM05EAfdz8Iij+ZsNO3PlpJKkkjh/TzF7pWnaN7gref:Mbu04pWvr65lM0znuXQ/orN7+L

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

122948256820

C2

4.tcp.ngrok.io:13841

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      a919a72ddb960735594d0f4531a33c4b80bac29743ede429cff0c6b87f4c8b5e

    • Size

      43KB

    • MD5

      378532ba8c8073c2639528b08b15047b

    • SHA1

      3e5edec6cf81e91ef76f709b809594065c57f35c

    • SHA256

      a919a72ddb960735594d0f4531a33c4b80bac29743ede429cff0c6b87f4c8b5e

    • SHA512

      0cff469b5e8a9e9ff1cfceb6ac60ceebcc02fe351a68e1fbec7e2437b0d6471d5560f1ad04a8af385731a69bfa15b3c134bbf5a363888c6ef244d6604d6fa874

    • SSDEEP

      384:WZyOu1Cj8syWnvr62SneEXM05EAfdz8Iij+ZsNO3PlpJKkkjh/TzF7pWnaN7gref:Mbu04pWvr65lM0znuXQ/orN7+L

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks