General

  • Target

    408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24N.exe

  • Size

    1.2MB

  • Sample

    241216-njkdhaykdt

  • MD5

    b6d84da1e7884359bfae8fa18aaf8a80

  • SHA1

    c01a49d30d94f1b9d0d908ab9d7afd50f5bd2375

  • SHA256

    408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24

  • SHA512

    8bd8da789f8050e05913fc823e8b04469f87c5902a1d0a38225a61a5593052e718fea1609b06a2e90dbfe355f1c77de0511a1f0ed7b8538fca6f670642cd140a

  • SSDEEP

    24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaW7aWvCaFg5a7PCmWX95FC:Jh+ZkldoPK8YaW7CaZ7IHc

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

redlanhopto

C2

redlan.hopto.org:5553

Mutex

d25d360449d7bab3069e1b77b3a914a3

Attributes
  • reg_key

    d25d360449d7bab3069e1b77b3a914a3

  • splitter

    |'|'|

Targets

    • Target

      408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24N.exe

    • Size

      1.2MB

    • MD5

      b6d84da1e7884359bfae8fa18aaf8a80

    • SHA1

      c01a49d30d94f1b9d0d908ab9d7afd50f5bd2375

    • SHA256

      408e32d56539659189402923ae1e005d46d587adcc2b4d54fb931b0002050f24

    • SHA512

      8bd8da789f8050e05913fc823e8b04469f87c5902a1d0a38225a61a5593052e718fea1609b06a2e90dbfe355f1c77de0511a1f0ed7b8538fca6f670642cd140a

    • SSDEEP

      24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaW7aWvCaFg5a7PCmWX95FC:Jh+ZkldoPK8YaW7CaZ7IHc

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks