General

  • Target

    d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe

  • Size

    37KB

  • Sample

    241217-fkgd8ssler

  • MD5

    4699bec8cd50aa7f2cecf0df8f0c26a0

  • SHA1

    c7c6c85fc26189cf4c68d45b5f8009a7a456497d

  • SHA256

    d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d

  • SHA512

    5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

  • SSDEEP

    768:HXGD2mUbCv/cPDYjM/cA8rM+rMRa8NuEx2t:H2DSbW0rEMUAP+gRJNbx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

school

C2

167.71.56.116:22764

Mutex

872de6721af0b6833a743205be97e089

Attributes
  • reg_key

    872de6721af0b6833a743205be97e089

  • splitter

    |'|'|

Targets

    • Target

      d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe

    • Size

      37KB

    • MD5

      4699bec8cd50aa7f2cecf0df8f0c26a0

    • SHA1

      c7c6c85fc26189cf4c68d45b5f8009a7a456497d

    • SHA256

      d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d

    • SHA512

      5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

    • SSDEEP

      768:HXGD2mUbCv/cPDYjM/cA8rM+rMRa8NuEx2t:H2DSbW0rEMUAP+gRJNbx

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks