General

  • Target

    686e2a5626b280e547bf146735804c3d.exe

  • Size

    1.4MB

  • Sample

    240621-t9yxgasarj

  • MD5

    686e2a5626b280e547bf146735804c3d

  • SHA1

    05ecbdc0af40ecc66410cc55d2892dff29f507b7

  • SHA256

    82e6361a6d813709990f46d3cb5458ed874ce97a836d71d21e65bfb156bbba16

  • SHA512

    04ce303dd97fad138012283676c32a490461a14b274d9092cae539f8f0678ee32de2d03c6a14433ebb287e1efc4f3fa1b4a7ecef43d721db46140a742be78f64

  • SSDEEP

    24576:7TbBv5rUqZeduWJwuQU2mv8H0HlXKbEU9Pq89nSQ/zpcfDTKxhwfAufXXsqi2uCk:lBBedZqUH0H0HlabEfCSQQMyfAufHZXy

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

GLOBAL-LOCAL

C2

word-lang.gl.at.ply.gg:14127

Mutex

bbd47dd559142f982b0dec2505e69238

Attributes
  • reg_key

    bbd47dd559142f982b0dec2505e69238

  • splitter

    |'|'|

Targets

    • Target

      686e2a5626b280e547bf146735804c3d.exe

    • Size

      1.4MB

    • MD5

      686e2a5626b280e547bf146735804c3d

    • SHA1

      05ecbdc0af40ecc66410cc55d2892dff29f507b7

    • SHA256

      82e6361a6d813709990f46d3cb5458ed874ce97a836d71d21e65bfb156bbba16

    • SHA512

      04ce303dd97fad138012283676c32a490461a14b274d9092cae539f8f0678ee32de2d03c6a14433ebb287e1efc4f3fa1b4a7ecef43d721db46140a742be78f64

    • SSDEEP

      24576:7TbBv5rUqZeduWJwuQU2mv8H0HlXKbEU9Pq89nSQ/zpcfDTKxhwfAufXXsqi2uCk:lBBedZqUH0H0HlabEfCSQQMyfAufHZXy

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks