General

  • Target

    4c0dd651b91d4e3a13cc6e29398fee4cff9f2624727830273e09dea2f9b52e5e.exe

  • Size

    980KB

  • Sample

    241203-wj8p4askcn

  • MD5

    5a1d67104626806bdbc74cd6fbe0af6d

  • SHA1

    69869281403a2a11c7c99f338736b5ef247fffd8

  • SHA256

    4c0dd651b91d4e3a13cc6e29398fee4cff9f2624727830273e09dea2f9b52e5e

  • SHA512

    bdcd851a6ae6b37bf372a18756d8c497a0cd86e1bba7076ade6342ea886943d0a5ae621fd0eb82b400f7b14d12ef1a4a163b315285f837c3b655be1c36efed97

  • SSDEEP

    12288:x2LaKaEt0ymu5M2kqChPAxzlO50IoPWEu/8+l89R6WvEVr4aQxU9:xdnuahPS5nxTRdvEVr474

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

279f6960ed84a752570aca7fb2dc1552

Attributes
  • reg_key

    279f6960ed84a752570aca7fb2dc1552

  • splitter

    |'|'|

Targets

    • Target

      4c0dd651b91d4e3a13cc6e29398fee4cff9f2624727830273e09dea2f9b52e5e.exe

    • Size

      980KB

    • MD5

      5a1d67104626806bdbc74cd6fbe0af6d

    • SHA1

      69869281403a2a11c7c99f338736b5ef247fffd8

    • SHA256

      4c0dd651b91d4e3a13cc6e29398fee4cff9f2624727830273e09dea2f9b52e5e

    • SHA512

      bdcd851a6ae6b37bf372a18756d8c497a0cd86e1bba7076ade6342ea886943d0a5ae621fd0eb82b400f7b14d12ef1a4a163b315285f837c3b655be1c36efed97

    • SSDEEP

      12288:x2LaKaEt0ymu5M2kqChPAxzlO50IoPWEu/8+l89R6WvEVr4aQxU9:xdnuahPS5nxTRdvEVr474

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks