General

  • Target

    34da1a0340fd4b9409ef1853b12f3219a6dae215

  • Size

    914KB

  • Sample

    241109-b9f3jstnaw

  • MD5

    6440f1d781cb8634fc75319df46feff7

  • SHA1

    34da1a0340fd4b9409ef1853b12f3219a6dae215

  • SHA256

    d91af630cbb6a8c648dfbd18e181fc6b8243e7c8e9bd4fb40045e4711a797b6a

  • SHA512

    7c60fe08be6baa56a3df2bdbda18b70a2c3e85c2cb9967907e10478a3896d2b90e952a8a45f54833a03974254a8517680a88fad4b31336fe8b08e75ebc2bca73

  • SSDEEP

    24576:2GHAp/tN9oeMVsYwZIgs46AEZ7CWG7RPHkHb4CO:2GHE/HPMtwZy46gh7RPHMDO

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

be09dd19.ddns.net:1337

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

redline

Botnet

@heatwins

C2

101.99.93.104:80

Attributes
  • auth_value

    17c423c2282427bab2bc1b1703c250bf

Targets

    • Target

      injcetor.bin

    • Size

      3.4MB

    • MD5

      fd1f9974340c428b15e8bf838122326d

    • SHA1

      c07709c671960f880c568516572b594ad5946029

    • SHA256

      b2421dc681198079bfa3cae05c63750b3847211ab307051604c5e7e0ca2033a1

    • SHA512

      647d9cc2d63dae6a4bfcb055b3d82bfae887fe08dfc04de6312f4a9953c64bbb2a16e225e79ee0ce1777676ab9465942e3a165a9d0feb921173858a3b4a10953

    • SSDEEP

      24576:VQqt82oJ5L4RGVFoQ0C/Q12H0RmAdmR8dG2FAYOcy7qWDLUTk+vJ3UcDS0ScE1k9:BxyqCLQFzB5

    • Njrat family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks