General
-
Target
svchost.bin
-
Size
1.1MB
-
Sample
240523-w1pcsabg47
-
MD5
5bf9ee7d92c033665bbbe4cc83c6c8bd
-
SHA1
e763e34f50c83e1cf8c4be632993b8cec2ed193e
-
SHA256
f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4
-
SHA512
f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448
-
SSDEEP
24576:EQlWF5PC5xcbIdo20hVV58hCXeFnnw0uR7DF8A+dIJtFwwGf3xx7BzU:jnxcbOo28PeFcR7DF8YbGfL7BQ
Malware Config
Targets
-
-
Target
svchost.bin
-
Size
1.1MB
-
MD5
5bf9ee7d92c033665bbbe4cc83c6c8bd
-
SHA1
e763e34f50c83e1cf8c4be632993b8cec2ed193e
-
SHA256
f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4
-
SHA512
f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448
-
SSDEEP
24576:EQlWF5PC5xcbIdo20hVV58hCXeFnnw0uR7DF8A+dIJtFwwGf3xx7BzU:jnxcbOo28PeFcR7DF8YbGfL7BQ
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1