General
-
Target
9CF8C4A53D5E1C1646B07FD9A20F3DF5.exe
-
Size
24KB
-
Sample
241215-fs6zvsvmds
-
MD5
9cf8c4a53d5e1c1646b07fd9a20f3df5
-
SHA1
5b6bf82acb11421e90cede493d99931b750f23cd
-
SHA256
b88ea99a578d819000485da4b80ee871488088804481dc91698986c0c90f7c9e
-
SHA512
f21bcb90dfb9db76e09323152ad8bf5bee9f3a07c403e05e4f99efc557a318782a04af2140d73cef0c54f8fc9b3680b4881a2867470ff4fafd1b2f726cab9851
-
SSDEEP
384:HcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZt6bR:830py6vhxaRpcnun1
Malware Config
Extracted
njrat
0.7d
nesck
gfknoux.localto.net:3435
fda26501f9b381c7e35e3965cc3cee82
-
reg_key
fda26501f9b381c7e35e3965cc3cee82
-
splitter
|'|'|
Targets
-
-
Target
9CF8C4A53D5E1C1646B07FD9A20F3DF5.exe
-
Size
24KB
-
MD5
9cf8c4a53d5e1c1646b07fd9a20f3df5
-
SHA1
5b6bf82acb11421e90cede493d99931b750f23cd
-
SHA256
b88ea99a578d819000485da4b80ee871488088804481dc91698986c0c90f7c9e
-
SHA512
f21bcb90dfb9db76e09323152ad8bf5bee9f3a07c403e05e4f99efc557a318782a04af2140d73cef0c54f8fc9b3680b4881a2867470ff4fafd1b2f726cab9851
-
SSDEEP
384:HcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZt6bR:830py6vhxaRpcnun1
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1