General

  • Target

    5639922ef88efb99a43a7ec4dc3a2c5ad8009013e3bbd2af9f22a81d4cd99bbcN

  • Size

    8.7MB

  • Sample

    241104-kd1lraxfpb

  • MD5

    b9d3bbc92c5b0445009268506d8203e0

  • SHA1

    ddc75e7ed111bf40d052533734fb4b435c4f0154

  • SHA256

    5639922ef88efb99a43a7ec4dc3a2c5ad8009013e3bbd2af9f22a81d4cd99bbc

  • SHA512

    4314cadcae2a83ef7385eafcd09a45d9dc4c0da736b312a86c06079e8b7f0a1f396242c824d5725c04cf23c425136bd8eec8a4e80a023eefb855310f958fd0f3

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbz:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmn

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Targets

    • Target

      5639922ef88efb99a43a7ec4dc3a2c5ad8009013e3bbd2af9f22a81d4cd99bbcN

    • Size

      8.7MB

    • MD5

      b9d3bbc92c5b0445009268506d8203e0

    • SHA1

      ddc75e7ed111bf40d052533734fb4b435c4f0154

    • SHA256

      5639922ef88efb99a43a7ec4dc3a2c5ad8009013e3bbd2af9f22a81d4cd99bbc

    • SHA512

      4314cadcae2a83ef7385eafcd09a45d9dc4c0da736b312a86c06079e8b7f0a1f396242c824d5725c04cf23c425136bd8eec8a4e80a023eefb855310f958fd0f3

    • SSDEEP

      196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbz:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmn

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks