General

  • Target

    ea510dfb2f9717b3ee9054138be17a66d7efa4e393469b29781db7464f3d43cb

  • Size

    552KB

  • Sample

    240817-hnjpwasfjc

  • MD5

    a3454c42cfce826191e8c649e87a20b7

  • SHA1

    a0ab5124d705e840e2ff7d54d7e6082636d91951

  • SHA256

    ea510dfb2f9717b3ee9054138be17a66d7efa4e393469b29781db7464f3d43cb

  • SHA512

    e8af3fb10ad3abdbf97dfafb1482c3513939ec00c8803347c8ec70445ae1e5c416e6d1ef84e95329c40c8aef5ef0cb805efa18f8521cadb89f72db6b461768d1

  • SSDEEP

    12288:R32kYn9YFZBsws0rwfQpP9p/yFUk6l6X3cWCauQWannR8fL:RGk69IS0rw4pP9p416QMaBnRCL

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

OCT

C2

film.royalprop.trade:8109

Mutex

update.exe

Attributes
  • reg_key

    update.exe

  • splitter

    0987

Targets

    • Target

      ea510dfb2f9717b3ee9054138be17a66d7efa4e393469b29781db7464f3d43cb

    • Size

      552KB

    • MD5

      a3454c42cfce826191e8c649e87a20b7

    • SHA1

      a0ab5124d705e840e2ff7d54d7e6082636d91951

    • SHA256

      ea510dfb2f9717b3ee9054138be17a66d7efa4e393469b29781db7464f3d43cb

    • SHA512

      e8af3fb10ad3abdbf97dfafb1482c3513939ec00c8803347c8ec70445ae1e5c416e6d1ef84e95329c40c8aef5ef0cb805efa18f8521cadb89f72db6b461768d1

    • SSDEEP

      12288:R32kYn9YFZBsws0rwfQpP9p/yFUk6l6X3cWCauQWannR8fL:RGk69IS0rw4pP9p416QMaBnRCL

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Drops startup file

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks