General

  • Target

    19001e098985660c96f306a1aaa99ea5b067355ce34d8a4f0f76bd81bbda2a7b.exe

  • Size

    37KB

  • Sample

    241217-ay6ndswkal

  • MD5

    0a4e7256601fa4008b2c1d0477fc7346

  • SHA1

    abe82e45ece52b3a43a2d6aac123278dbcae98ad

  • SHA256

    19001e098985660c96f306a1aaa99ea5b067355ce34d8a4f0f76bd81bbda2a7b

  • SHA512

    b48f6aa344c18fc86f795bb53bdf5e3db9eb2e659049f9c5150d80d3803f01ec16d10bc884203dc88ee5705d6a4bbe96701099d9f0c9539c368b75f45670caa5

  • SSDEEP

    384:tKaJXyxikPKw+AYNCylTWd9vzDPcm0D9rAF+rMRTyN/0L+EcoinblneHQM3epzX5:8aJCvENRlTWL/105rM+rMRa8NuTItC

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

* HaCkEd bY LoKn ;

C2

customers-edmonton.gl.at.ply.gg:28608

Mutex

c0e04992df15316c5d8ec54b808f70d7

Attributes
  • reg_key

    c0e04992df15316c5d8ec54b808f70d7

  • splitter

    |'|'|

Targets

    • Target

      19001e098985660c96f306a1aaa99ea5b067355ce34d8a4f0f76bd81bbda2a7b.exe

    • Size

      37KB

    • MD5

      0a4e7256601fa4008b2c1d0477fc7346

    • SHA1

      abe82e45ece52b3a43a2d6aac123278dbcae98ad

    • SHA256

      19001e098985660c96f306a1aaa99ea5b067355ce34d8a4f0f76bd81bbda2a7b

    • SHA512

      b48f6aa344c18fc86f795bb53bdf5e3db9eb2e659049f9c5150d80d3803f01ec16d10bc884203dc88ee5705d6a4bbe96701099d9f0c9539c368b75f45670caa5

    • SSDEEP

      384:tKaJXyxikPKw+AYNCylTWd9vzDPcm0D9rAF+rMRTyN/0L+EcoinblneHQM3epzX5:8aJCvENRlTWL/105rM+rMRa8NuTItC

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks