General

  • Target

    65e8e6ca4199bb98bdd37f8b767638c3d3109c43bfc38860431495be339e08a0

  • Size

    8.7MB

  • Sample

    241017-2qqezs1dqg

  • MD5

    89f474301627920f644a52d808769068

  • SHA1

    ab4da8bc5d6150bec7a1bfcf333938b2f058918b

  • SHA256

    65e8e6ca4199bb98bdd37f8b767638c3d3109c43bfc38860431495be339e08a0

  • SHA512

    3b8382ebe26480a01571002e34e990436375861a447efcd155d390baec0d5a1fd5d8b7636a41b0640ecdd337898d6e2bd066dc1483b3c64084958937b23c2e18

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbC:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Targets

    • Target

      65e8e6ca4199bb98bdd37f8b767638c3d3109c43bfc38860431495be339e08a0

    • Size

      8.7MB

    • MD5

      89f474301627920f644a52d808769068

    • SHA1

      ab4da8bc5d6150bec7a1bfcf333938b2f058918b

    • SHA256

      65e8e6ca4199bb98bdd37f8b767638c3d3109c43bfc38860431495be339e08a0

    • SHA512

      3b8382ebe26480a01571002e34e990436375861a447efcd155d390baec0d5a1fd5d8b7636a41b0640ecdd337898d6e2bd066dc1483b3c64084958937b23c2e18

    • SSDEEP

      196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbC:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks