General
-
Target
40efde16d08059a99d43c80e67e7c76c51893186aac36f091da2ece9eecceb58N.exe
-
Size
980KB
-
Sample
241203-d6xbgatpfq
-
MD5
9d39a28d4969df4949cebc75f03554c0
-
SHA1
1e3230a54a084e8558c648a66b23f868e7c1276f
-
SHA256
40efde16d08059a99d43c80e67e7c76c51893186aac36f091da2ece9eecceb58
-
SHA512
4b3c4e6b50a28e8352db4ffacdb865ed1ff219c224d40db3076c796ca4cd83c1e9cd35151a1473c2e72bd172ca0bc0f7e43282cb63f12e9199d4641ff9a2c847
-
SSDEEP
12288:x2LaKaEt0ymu5M2kqChPAxzlO50IoPWEu/8+l89R6WvEVr4aQxU:xdnuahPS5nxTRdvEVr47
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Targets
-
-
Target
40efde16d08059a99d43c80e67e7c76c51893186aac36f091da2ece9eecceb58N.exe
-
Size
980KB
-
MD5
9d39a28d4969df4949cebc75f03554c0
-
SHA1
1e3230a54a084e8558c648a66b23f868e7c1276f
-
SHA256
40efde16d08059a99d43c80e67e7c76c51893186aac36f091da2ece9eecceb58
-
SHA512
4b3c4e6b50a28e8352db4ffacdb865ed1ff219c224d40db3076c796ca4cd83c1e9cd35151a1473c2e72bd172ca0bc0f7e43282cb63f12e9199d4641ff9a2c847
-
SSDEEP
12288:x2LaKaEt0ymu5M2kqChPAxzlO50IoPWEu/8+l89R6WvEVr4aQxU:xdnuahPS5nxTRdvEVr47
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1