General
-
Target
91f915d7b7de6d838a41c4aa75443b6fc503639960b9cd41b7a0a6d071830853.exe
-
Size
117KB
-
Sample
241123-dp33pasreq
-
MD5
ad287daf81b42f5d4b31fe887d8e3df6
-
SHA1
294f012ba425ac0261fa9479b40dbd7ecd144724
-
SHA256
91f915d7b7de6d838a41c4aa75443b6fc503639960b9cd41b7a0a6d071830853
-
SHA512
262e84e86f8e822df1100c7a09e23b0ba5a72e94c47b9f251cdef80529c5c57ea64d9e3d4cbdc270901369ba3ac7bd6f2dd2042c4cdfafc5c967d8dc6c4fde26
-
SSDEEP
3072:7E8AHzBgZC5gRFYU2zmMcVinx7754KmUa6Qo:uyggR+U2HoiV14KmUF
Malware Config
Extracted
njrat
0.6.4
mx
209.200.39.186:1172
7c5ab2d4b3ee0e1b3e9cf876e75dff1f
-
reg_key
7c5ab2d4b3ee0e1b3e9cf876e75dff1f
-
splitter
|'|'|
Targets
-
-
Target
91f915d7b7de6d838a41c4aa75443b6fc503639960b9cd41b7a0a6d071830853.exe
-
Size
117KB
-
MD5
ad287daf81b42f5d4b31fe887d8e3df6
-
SHA1
294f012ba425ac0261fa9479b40dbd7ecd144724
-
SHA256
91f915d7b7de6d838a41c4aa75443b6fc503639960b9cd41b7a0a6d071830853
-
SHA512
262e84e86f8e822df1100c7a09e23b0ba5a72e94c47b9f251cdef80529c5c57ea64d9e3d4cbdc270901369ba3ac7bd6f2dd2042c4cdfafc5c967d8dc6c4fde26
-
SSDEEP
3072:7E8AHzBgZC5gRFYU2zmMcVinx7754KmUa6Qo:uyggR+U2HoiV14KmUF
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1