General
-
Target
F67D72EA066963D2022F70E713DF05FB.exe
-
Size
340KB
-
Sample
241130-lvtefa1kfs
-
MD5
f67d72ea066963d2022f70e713df05fb
-
SHA1
c872659bb161c05fe15b56b03ecda2f369779cf6
-
SHA256
19ceb2fb547708b698c90222c404f1ae92f697a8f3471c34217eae990d384f21
-
SHA512
fff2c9c05a221b6115b962c0b12465021cd7ef7f328bc66035a98c9a7cfac4c9eb293b648856d3a2f750361841c69d1664579e88f553901dbdc26a8e7ac2bcc9
-
SSDEEP
6144:shKBbUiI0zzx/vnG2pFgLbkOtJ6b/7FQ8BKmBLoBXZauy1CYWQhZ66z+n4VZbd8:shKCqOkOj6T5NXOauy1CTQhZ66z24VZZ
Malware Config
Extracted
njrat
0.7d
HacKed
lemon.geoiplookup.live:56071
Registry Editor
-
reg_key
Registry Editor
-
splitter
|'|'|
Targets
-
-
Target
F67D72EA066963D2022F70E713DF05FB.exe
-
Size
340KB
-
MD5
f67d72ea066963d2022f70e713df05fb
-
SHA1
c872659bb161c05fe15b56b03ecda2f369779cf6
-
SHA256
19ceb2fb547708b698c90222c404f1ae92f697a8f3471c34217eae990d384f21
-
SHA512
fff2c9c05a221b6115b962c0b12465021cd7ef7f328bc66035a98c9a7cfac4c9eb293b648856d3a2f750361841c69d1664579e88f553901dbdc26a8e7ac2bcc9
-
SSDEEP
6144:shKBbUiI0zzx/vnG2pFgLbkOtJ6b/7FQ8BKmBLoBXZauy1CYWQhZ66z+n4VZbd8:shKCqOkOj6T5NXOauy1CTQhZ66z24VZZ
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1