General

  • Target

    56239d28dda750a7b9f5eb0d7ec7a72cd4cfb4cb21e5c1e43a8893fa303b2a62.exe

  • Size

    291KB

  • Sample

    241121-cv42haxrax

  • MD5

    8e8f6ffd1c602b7c00ba2e87319fe83e

  • SHA1

    03ebc5f035c06abb8b66c5d47fd41d43d6b6035b

  • SHA256

    56239d28dda750a7b9f5eb0d7ec7a72cd4cfb4cb21e5c1e43a8893fa303b2a62

  • SHA512

    d70c5220ef7071f0513e9e7436b42c093dbc298be2ee978a7795cfd6552693f9f006c26f00f6e217cfbae5904d15b840baa12409f2eaaf8f03ec8d71cdd11422

  • SSDEEP

    6144:L5b5bjevaup+gXzefbnGIudk/6X44yvVe+RTPzO:NbJcPSjn8q6oTteeC

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

chorom

C2

ahmedstar123.ddns.net:1177

Mutex

5fa843546065a766a9db244b1f33ea6e

Attributes
  • reg_key

    5fa843546065a766a9db244b1f33ea6e

  • splitter

    |'|'|

Targets

    • Target

      56239d28dda750a7b9f5eb0d7ec7a72cd4cfb4cb21e5c1e43a8893fa303b2a62.exe

    • Size

      291KB

    • MD5

      8e8f6ffd1c602b7c00ba2e87319fe83e

    • SHA1

      03ebc5f035c06abb8b66c5d47fd41d43d6b6035b

    • SHA256

      56239d28dda750a7b9f5eb0d7ec7a72cd4cfb4cb21e5c1e43a8893fa303b2a62

    • SHA512

      d70c5220ef7071f0513e9e7436b42c093dbc298be2ee978a7795cfd6552693f9f006c26f00f6e217cfbae5904d15b840baa12409f2eaaf8f03ec8d71cdd11422

    • SSDEEP

      6144:L5b5bjevaup+gXzefbnGIudk/6X44yvVe+RTPzO:NbJcPSjn8q6oTteeC

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks