General

  • Target

    c68ae0051ee0596c6eab371c74ba3f4f03625e5f9407eb19066ad0ae8c513a3fN

  • Size

    23KB

  • Sample

    241030-kt64gazelb

  • MD5

    3ddab4fcdd113806ac5f8ef3cd3c3a10

  • SHA1

    f605ffeb54b2ced44421034bfa0728e8a01e0441

  • SHA256

    c68ae0051ee0596c6eab371c74ba3f4f03625e5f9407eb19066ad0ae8c513a3f

  • SHA512

    8cfec4673b02b8e7b76cee46c3d1d8d837b98aad085b5891de2ffda543f74e04fc090ae493ff99115cba7ee5452a85597d7213ffb1414ecba211ebbee27b7d21

  • SSDEEP

    384:/MKCWZ5xTAcZeMiO7k9zW067vgdTmZFDLRmRvR6JZlbw8hqIusZzZxCO:UaZrF77boRpcnus

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

qza

C2

127.0.0.1:5552

Mutex

e0db563f3b88c53c373b4bd710d69987

Attributes
  • reg_key

    e0db563f3b88c53c373b4bd710d69987

  • splitter

    |'|'|

Targets

    • Target

      c68ae0051ee0596c6eab371c74ba3f4f03625e5f9407eb19066ad0ae8c513a3fN

    • Size

      23KB

    • MD5

      3ddab4fcdd113806ac5f8ef3cd3c3a10

    • SHA1

      f605ffeb54b2ced44421034bfa0728e8a01e0441

    • SHA256

      c68ae0051ee0596c6eab371c74ba3f4f03625e5f9407eb19066ad0ae8c513a3f

    • SHA512

      8cfec4673b02b8e7b76cee46c3d1d8d837b98aad085b5891de2ffda543f74e04fc090ae493ff99115cba7ee5452a85597d7213ffb1414ecba211ebbee27b7d21

    • SSDEEP

      384:/MKCWZ5xTAcZeMiO7k9zW067vgdTmZFDLRmRvR6JZlbw8hqIusZzZxCO:UaZrF77boRpcnus

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks