General

  • Target

    18e17c9f24fbd98e67d34b0e64a7b3ef4c3e7ea04a96868958206bab25cf188f

  • Size

    8.7MB

  • Sample

    241016-xjtfvawdma

  • MD5

    3010c1012014d92527a0da9d85e82c2c

  • SHA1

    3aaf2a6b2d1275d3792381f66b111fc343aa8f4c

  • SHA256

    18e17c9f24fbd98e67d34b0e64a7b3ef4c3e7ea04a96868958206bab25cf188f

  • SHA512

    5569c66dd334c8db135d0580d7c0be57edb1e1df7d9d9d952bc135181fb7a49de57097197806294ffce49e490c17c7d19376d419f780e77bd8a109a81dbd4c04

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbl:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmR

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Targets

    • Target

      18e17c9f24fbd98e67d34b0e64a7b3ef4c3e7ea04a96868958206bab25cf188f

    • Size

      8.7MB

    • MD5

      3010c1012014d92527a0da9d85e82c2c

    • SHA1

      3aaf2a6b2d1275d3792381f66b111fc343aa8f4c

    • SHA256

      18e17c9f24fbd98e67d34b0e64a7b3ef4c3e7ea04a96868958206bab25cf188f

    • SHA512

      5569c66dd334c8db135d0580d7c0be57edb1e1df7d9d9d952bc135181fb7a49de57097197806294ffce49e490c17c7d19376d419f780e77bd8a109a81dbd4c04

    • SSDEEP

      196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbl:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmR

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks