General

  • Target

    3ce2612c8d59e06c0aac8e466e37efd8d07a2c4c91e5c894e44d8ec069aac668.exe

  • Size

    23KB

  • Sample

    240523-bq89zsge69

  • MD5

    ef3997fba7e285c97c28140e51928249

  • SHA1

    66734f8816697b868d9dd1dafb49ad1c3a153755

  • SHA256

    3ce2612c8d59e06c0aac8e466e37efd8d07a2c4c91e5c894e44d8ec069aac668

  • SHA512

    5422450cc95c23bffd47ba84acd489ac3997ffdb3851c167fb6925ca011afa0be5d0ed0a619b095cd3ee1f52ea9d14000e864b2cd577ab301ee65714cc7c1966

  • SSDEEP

    384:68aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZZr:9Xcwt3tRpcnu6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

t1

C2

10.9.203.254:3131

Mutex

969f98392400891a1a1da27da68a2a1d

Attributes
  • reg_key

    969f98392400891a1a1da27da68a2a1d

  • splitter

    |'|'|

Targets

    • Target

      3ce2612c8d59e06c0aac8e466e37efd8d07a2c4c91e5c894e44d8ec069aac668.exe

    • Size

      23KB

    • MD5

      ef3997fba7e285c97c28140e51928249

    • SHA1

      66734f8816697b868d9dd1dafb49ad1c3a153755

    • SHA256

      3ce2612c8d59e06c0aac8e466e37efd8d07a2c4c91e5c894e44d8ec069aac668

    • SHA512

      5422450cc95c23bffd47ba84acd489ac3997ffdb3851c167fb6925ca011afa0be5d0ed0a619b095cd3ee1f52ea9d14000e864b2cd577ab301ee65714cc7c1966

    • SSDEEP

      384:68aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZZr:9Xcwt3tRpcnu6

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks