General

  • Target

    66a1743f5791c9746a988bb1e5c250f25941a3122430be24380d9a9cb3484961

  • Size

    489KB

  • Sample

    241104-xfl8csxpgr

  • MD5

    3dbe30b615ca39afbc28c4e00fb5941d

  • SHA1

    199f664cf6d92a172c2e2d8cbfcd71f2884f2906

  • SHA256

    66a1743f5791c9746a988bb1e5c250f25941a3122430be24380d9a9cb3484961

  • SHA512

    2fd60508dfbe0942363bdd1183df0e2c43d628af036462d9ab648bce15209ef39061e64b162174b500fb5c79a3dcb07a6098bb365c9eea76dcd4fb0ab62110e8

  • SSDEEP

    12288:tar1ua/gY5dCTiJ5njy4NR/9M4OZp75vl07sOxc:ohn5QyNykI4AVly7

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

VIP@DUMP

C2

volkatv500.sytes.net:999

Mutex

e0bb29bc288c4cac846ed6aff410e0c6

Attributes
  • reg_key

    e0bb29bc288c4cac846ed6aff410e0c6

  • splitter

    |'|'|

Targets

    • Target

      66a1743f5791c9746a988bb1e5c250f25941a3122430be24380d9a9cb3484961

    • Size

      489KB

    • MD5

      3dbe30b615ca39afbc28c4e00fb5941d

    • SHA1

      199f664cf6d92a172c2e2d8cbfcd71f2884f2906

    • SHA256

      66a1743f5791c9746a988bb1e5c250f25941a3122430be24380d9a9cb3484961

    • SHA512

      2fd60508dfbe0942363bdd1183df0e2c43d628af036462d9ab648bce15209ef39061e64b162174b500fb5c79a3dcb07a6098bb365c9eea76dcd4fb0ab62110e8

    • SSDEEP

      12288:tar1ua/gY5dCTiJ5njy4NR/9M4OZp75vl07sOxc:ohn5QyNykI4AVly7

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks