General

  • Target

    12fbee2ea0cd1b8ac5559789019e001da8a798d8cf7e1c71339ea75b469e3880

  • Size

    8.7MB

  • Sample

    241012-xlqsqswcqg

  • MD5

    261906da2943c01fe7e15d2921c70dae

  • SHA1

    28e1721c909ff637339a5b52722cd50f7ff481ca

  • SHA256

    12fbee2ea0cd1b8ac5559789019e001da8a798d8cf7e1c71339ea75b469e3880

  • SHA512

    031963dc1c2cde8c3ffd31bb3d85ab83ed20e636e43d55affb8fa615fb2d930749367fc591cf79859940ba4fcd20896834fd78d00cfedd1fc05e8adae0541d12

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbB:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmN

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Targets

    • Target

      12fbee2ea0cd1b8ac5559789019e001da8a798d8cf7e1c71339ea75b469e3880

    • Size

      8.7MB

    • MD5

      261906da2943c01fe7e15d2921c70dae

    • SHA1

      28e1721c909ff637339a5b52722cd50f7ff481ca

    • SHA256

      12fbee2ea0cd1b8ac5559789019e001da8a798d8cf7e1c71339ea75b469e3880

    • SHA512

      031963dc1c2cde8c3ffd31bb3d85ab83ed20e636e43d55affb8fa615fb2d930749367fc591cf79859940ba4fcd20896834fd78d00cfedd1fc05e8adae0541d12

    • SSDEEP

      196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbB:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmN

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks