General

  • Target

    bba1c348e80dc3737f8ec74c0e0c67e10323900eb1500b8ea5b8471b21a5ed61

  • Size

    2.0MB

  • Sample

    241206-knkchsvmgq

  • MD5

    f3aef511705f37f9792c6032b936ca61

  • SHA1

    eea5a388582c3fc189ff89ea213848d75f5332dc

  • SHA256

    bba1c348e80dc3737f8ec74c0e0c67e10323900eb1500b8ea5b8471b21a5ed61

  • SHA512

    f5bcc054517a3c9be56c4ea35daa1ff78ada7b8769b134e68acbc9ca1e1155d5e814fcb9b51d251ca86765a395b3d61b155b8b21b2ba9e66183bf6224e6de8ea

  • SSDEEP

    49152:V4CEM5MjMUOWGz6h4tU2+2yd/YNOGx65soFFQSZIyLD7+EFMy:cM5YF9hCR/aArxisg/Pay

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:16299

Mutex

6d90d9a2ca0b357d5f629d5cdbe8d0d2

Attributes
  • reg_key

    6d90d9a2ca0b357d5f629d5cdbe8d0d2

  • splitter

    |'|'|

Targets

    • Target

      NjRat Loader.exe

    • Size

      2.3MB

    • MD5

      e4631d6e2fee44de27d84aff1ce7c7a5

    • SHA1

      d16bc9a9e7249e8f5b519cabbaafa0f1462bccdd

    • SHA256

      008478ff6c70392e5ecf933881df2c44f31fdf76ad88c407191233cb39de6528

    • SHA512

      fdba6e4c6ce13996f05bfa0680383c809b177aedbd300ce42e7f378fd8ad1a1b2cfbc6342b5f0f64d03142bc25f3cf538829cbd01c539ec4c1477121b8f6e8be

    • SSDEEP

      49152:x842+3u+OurHvP4yU222Yd/2bIKxwc6XfnVmAfIg39EJ:x8gTdrHvPfRn8ulx36PrNQ

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks