General

  • Target

    45d6f494c74ce1476999971d138c109c8128007d63efb19071eda8b822acc6d7.exe

  • Size

    2.2MB

  • Sample

    241122-x8q21ssrbj

  • MD5

    949fe8bf732a3d84689e9b8582e4086c

  • SHA1

    43d66791d93f06298034a2e4cfefe50d999db3a5

  • SHA256

    45d6f494c74ce1476999971d138c109c8128007d63efb19071eda8b822acc6d7

  • SHA512

    73862276b0505e537854f6f2e9df558a1c402e0d3487d2fba420806b22ac2b4091cf06beafc4471b5c66315e6439b779260c16bde3d26823ddc553299936cc2d

  • SSDEEP

    24576:+aa/7Pf8rL1A/vNYZvjG707LebVL6eoREUamnB65ZuHap9cv8a8EhtK9p+T9Gu7c:yPEUNewyLm6eaa0/an67tOCToyiiORh

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

192.168.31.54:6552

Mutex

System Helper

Attributes
  • reg_key

    System Helper

  • splitter

    |Hassan|

Targets

    • Target

      45d6f494c74ce1476999971d138c109c8128007d63efb19071eda8b822acc6d7.exe

    • Size

      2.2MB

    • MD5

      949fe8bf732a3d84689e9b8582e4086c

    • SHA1

      43d66791d93f06298034a2e4cfefe50d999db3a5

    • SHA256

      45d6f494c74ce1476999971d138c109c8128007d63efb19071eda8b822acc6d7

    • SHA512

      73862276b0505e537854f6f2e9df558a1c402e0d3487d2fba420806b22ac2b4091cf06beafc4471b5c66315e6439b779260c16bde3d26823ddc553299936cc2d

    • SSDEEP

      24576:+aa/7Pf8rL1A/vNYZvjG707LebVL6eoREUamnB65ZuHap9cv8a8EhtK9p+T9Gu7c:yPEUNewyLm6eaa0/an67tOCToyiiORh

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks