General

  • Target

    3064-2-0x0000000000230000-0x000000000024C000-memory.dmp

  • Size

    112KB

  • Sample

    240731-fdbv6s1fma

  • MD5

    f9f51a1860620d3af2631a30ad745727

  • SHA1

    9dbf01c2fa1b015ebed3ccb2751da93d15dfdd87

  • SHA256

    ed1e350ceb243db6b480c4c6918f8d909ad749d28d959aa61d49c2c10499fcfc

  • SHA512

    0d35360b9503543a709e044d0dd010223a4bd31b3bfc634cdc2c9a8ada4759d7cfe9ea3efa2cf3fe6d4c75adf7cf5a10533ccf635a3c9ae27f151a435dbf88e2

  • SSDEEP

    1536:tVmeuLXtLwbKCEAj5dD1tpjEwzGi1dDXDqgS:tVmeiwbKCEo59/mi1d/v

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

复复美制美

C2

hakim32.ddns.net:2000

147.185.221.21:33869

Mutex

5d9b545ac4ee41f57768dba98a8ebbb2

Attributes
  • reg_key

    5d9b545ac4ee41f57768dba98a8ebbb2

  • splitter

    |'|'|

Targets

    • Target

      3064-2-0x0000000000230000-0x000000000024C000-memory.dmp

    • Size

      112KB

    • MD5

      f9f51a1860620d3af2631a30ad745727

    • SHA1

      9dbf01c2fa1b015ebed3ccb2751da93d15dfdd87

    • SHA256

      ed1e350ceb243db6b480c4c6918f8d909ad749d28d959aa61d49c2c10499fcfc

    • SHA512

      0d35360b9503543a709e044d0dd010223a4bd31b3bfc634cdc2c9a8ada4759d7cfe9ea3efa2cf3fe6d4c75adf7cf5a10533ccf635a3c9ae27f151a435dbf88e2

    • SSDEEP

      1536:tVmeuLXtLwbKCEAj5dD1tpjEwzGi1dDXDqgS:tVmeiwbKCEo59/mi1d/v

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks