General

  • Target

    b763242ac3be701e02827c840c602d7f9a82821221ebe5b091ce43d08a7bea7a.exe

  • Size

    37KB

  • Sample

    241011-jn7mdasgqh

  • MD5

    19b3aca76d35b9d6ad75157d4d687523

  • SHA1

    6444a53e7789f1e488dfb9b559f093a6c7f9e225

  • SHA256

    b763242ac3be701e02827c840c602d7f9a82821221ebe5b091ce43d08a7bea7a

  • SHA512

    02b17da200f6a5dc71e0f006d0386756fe5c9d104f811999197491ea7b8624b72aea82771f5788ddb259e8d504b99127394147c64b882e21117455a71c196806

  • SSDEEP

    384:JeTMUiDHblmJEpRGyEfBffXuKCYyEAurAF+rMRTyN/0L+EcoinblneHQM3epzX6E:kTqHpR9EfBfWKClEHrM+rMRa8Nu0st

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

0.tcp.eu.ngrok.io:17846

Mutex

4abfedaa0ee568854b2380a6728f3fe3

Attributes
  • reg_key

    4abfedaa0ee568854b2380a6728f3fe3

  • splitter

    |'|'|

Targets

    • Target

      b763242ac3be701e02827c840c602d7f9a82821221ebe5b091ce43d08a7bea7a.exe

    • Size

      37KB

    • MD5

      19b3aca76d35b9d6ad75157d4d687523

    • SHA1

      6444a53e7789f1e488dfb9b559f093a6c7f9e225

    • SHA256

      b763242ac3be701e02827c840c602d7f9a82821221ebe5b091ce43d08a7bea7a

    • SHA512

      02b17da200f6a5dc71e0f006d0386756fe5c9d104f811999197491ea7b8624b72aea82771f5788ddb259e8d504b99127394147c64b882e21117455a71c196806

    • SSDEEP

      384:JeTMUiDHblmJEpRGyEfBffXuKCYyEAurAF+rMRTyN/0L+EcoinblneHQM3epzX6E:kTqHpR9EfBfWKClEHrM+rMRa8Nu0st

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks