General

  • Target

    445c58c5c3422efe4af4f7963cf64f7e7476aea0b59fa3305b7dec51d613eb39.exe

  • Size

    37KB

  • Sample

    240718-tmf35szakg

  • MD5

    12b2b849d8192f9858bb6a780d53eb37

  • SHA1

    3727d88c7c8af8b20b06b6f22511cfc86275661e

  • SHA256

    445c58c5c3422efe4af4f7963cf64f7e7476aea0b59fa3305b7dec51d613eb39

  • SHA512

    598f522406a72ca51d0aff5cc97b9f0d8d9558f1cd920309a4c10c6bbc174fbe687864b3f725f388bf46efcc4996b50361809d3b41d1842f7d0662d068806783

  • SSDEEP

    768:KEnIaSE5j1vjep4aVkOrM+rMRa8NuYqtN:ZnI3E5pbep9iR+gRJNj

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKedbyCSAimBotCheathehehe

C2

RomanPrasko-43071.portmap:43071

Mutex

6dab89b2fd31a596dbc4d84659041fc5

Attributes
  • reg_key

    6dab89b2fd31a596dbc4d84659041fc5

  • splitter

    |'|'|

Targets

    • Target

      445c58c5c3422efe4af4f7963cf64f7e7476aea0b59fa3305b7dec51d613eb39.exe

    • Size

      37KB

    • MD5

      12b2b849d8192f9858bb6a780d53eb37

    • SHA1

      3727d88c7c8af8b20b06b6f22511cfc86275661e

    • SHA256

      445c58c5c3422efe4af4f7963cf64f7e7476aea0b59fa3305b7dec51d613eb39

    • SHA512

      598f522406a72ca51d0aff5cc97b9f0d8d9558f1cd920309a4c10c6bbc174fbe687864b3f725f388bf46efcc4996b50361809d3b41d1842f7d0662d068806783

    • SSDEEP

      768:KEnIaSE5j1vjep4aVkOrM+rMRa8NuYqtN:ZnI3E5pbep9iR+gRJNj

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks