General
-
Target
2332-4-0x00000000004B0000-0x00000000004BC000-memory.dmp
-
Size
48KB
-
Sample
240921-wfpstavflb
-
MD5
08ac6cae8cecbb9d013682a10c3235dc
-
SHA1
b82491cdf5a65dd3a4087c99f6451f9e7d7c93dc
-
SHA256
822a9469eaf5b3b0ae31894e56947bfd5a6da31bdf61dea587a1ee5320033977
-
SHA512
975bcfb120b089e666ccdc9a0bcfe773ce664d626ba8813a0fae335c000f8794be76f256fbf4c9acb58ae5908e731bfa212f3fe8f0535bc140b82d49f7ae1aa2
-
SSDEEP
384:3MK6b2GZsx/Yr1+liORH1kcPFQ6Lg9gSOYRr9mRvR6JZlbw8hqIusZzZlG3:Qb9glF51LRpcnuyA
Malware Config
Extracted
njrat
0.7d
KARLA 1998
seznam.hopto.org:1177
36db42ed563b740681ec3918ded7c343
-
reg_key
36db42ed563b740681ec3918ded7c343
-
splitter
|'|'|
Targets
-
-
Target
2332-4-0x00000000004B0000-0x00000000004BC000-memory.dmp
-
Size
48KB
-
MD5
08ac6cae8cecbb9d013682a10c3235dc
-
SHA1
b82491cdf5a65dd3a4087c99f6451f9e7d7c93dc
-
SHA256
822a9469eaf5b3b0ae31894e56947bfd5a6da31bdf61dea587a1ee5320033977
-
SHA512
975bcfb120b089e666ccdc9a0bcfe773ce664d626ba8813a0fae335c000f8794be76f256fbf4c9acb58ae5908e731bfa212f3fe8f0535bc140b82d49f7ae1aa2
-
SSDEEP
384:3MK6b2GZsx/Yr1+liORH1kcPFQ6Lg9gSOYRr9mRvR6JZlbw8hqIusZzZlG3:Qb9glF51LRpcnuyA
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1