General

  • Target

    eeaf8123827bafb7b09d1d67daf4242a4950876a227b9aa7009459db0c75d6c0.zip

  • Size

    181KB

  • Sample

    240531-arz72aga2w

  • MD5

    efd127a2ded2fbc37f08c392e2086406

  • SHA1

    d86841f08eae12f19d3a04948eef5c413763a3b8

  • SHA256

    56cc33ccf220cb5ab59906616277d3d869975e248258dbac9e5f37ea9e97560d

  • SHA512

    f8c2f40f5656c09be5f2cfa391c1e51fd773005a1deb1f7dc96a9f89aace93af558955e113fabb7bf614eabc881030198dd853ab4f9da5b965dfbb8237e26f58

  • SSDEEP

    3072:EKFqv41q4nO9a3FlHGtm/yMlRGDc9VgR/zlAjDZTdeizSf+v5C7vS7XiGjn5AIMl:hqAzO0ksyMlRT9VQzlutdbSmC2GE5A6g

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

ZONA LOXOV

C2

tips-prairie.at.ply.gg:23521

Mutex

01de2842b0817bd02841f7a253f474ed

Attributes
  • reg_key

    01de2842b0817bd02841f7a253f474ed

  • splitter

    |'|'|

Targets

    • Target

      CCCPSpamTool.exe

    • Size

      302KB

    • MD5

      75008cfe420391b016dcb095d8ac94ad

    • SHA1

      95ecc4198cc48b8ab183b40d1b9dbdaea62bfb78

    • SHA256

      eeaf8123827bafb7b09d1d67daf4242a4950876a227b9aa7009459db0c75d6c0

    • SHA512

      8ee67babaed7013931dc618132cf7d84be56d54fdac5f6cf230e1abf9136578d739403a1a483cef6cf8c5b29ee7c24f3b52a480a73fef2377104dfe136648d8a

    • SSDEEP

      6144:1gZiAEAO0sByNsAal3gVAWgS7/OhwjxiuMuAf2jOX:1gZXEAO/BUdG3gVdt7KMiuMuAA4

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks