General

  • Target

    mal.bin

  • Size

    37KB

  • Sample

    241016-g1gklswglg

  • MD5

    1a89a94b9f8b3e9e12009ce905a6afd7

  • SHA1

    18bf661911a93377ada5902ebc581e535f798bd3

  • SHA256

    f75a78bbb8b9fec7151cda7ddfe71f05a83828a202b7fb3278840491c775212d

  • SHA512

    2b6f7138875dcad65761294b43fde006980efeded9264e11c2d8ee5131c61ec6d4d8ef48cdf5b3c649c32712e255442a0c4d1be572bb9141a9f383b7181bd950

  • SSDEEP

    384:767DUiSOL1G5k2gyk/Q0flq/Mst+xWrAF+rMRTyN/0L+EcoinblneHQM3epzXUAH:+7v32bk/Q0oEst+ArM+rMRa8NuuAdt

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

45.141.26.54:1337

Mutex

619caaa21abeda3dd8c1c8d9779b2992

Attributes
  • reg_key

    619caaa21abeda3dd8c1c8d9779b2992

  • splitter

    |'|'|

Targets

    • Target

      mal.bin

    • Size

      37KB

    • MD5

      1a89a94b9f8b3e9e12009ce905a6afd7

    • SHA1

      18bf661911a93377ada5902ebc581e535f798bd3

    • SHA256

      f75a78bbb8b9fec7151cda7ddfe71f05a83828a202b7fb3278840491c775212d

    • SHA512

      2b6f7138875dcad65761294b43fde006980efeded9264e11c2d8ee5131c61ec6d4d8ef48cdf5b3c649c32712e255442a0c4d1be572bb9141a9f383b7181bd950

    • SSDEEP

      384:767DUiSOL1G5k2gyk/Q0flq/Mst+xWrAF+rMRTyN/0L+EcoinblneHQM3epzXUAH:+7v32bk/Q0oEst+ArM+rMRa8NuuAdt

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks