General

  • Target

    a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

  • Size

    93KB

  • Sample

    241217-v1rmgatkbv

  • MD5

    ceabf00e91c6d219345af40a28da43e8

  • SHA1

    1203c6455e46b4a7007dea71f81849d50e3e48c1

  • SHA256

    a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

  • SHA512

    6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f

  • SSDEEP

    768:AY3XiBD7O/pBcxYsbae6GIXb9pDXQzVMBwXCmXxrjEtCdnl2pi1Rz4Rk3B6sGd0F:PipOx6baIa9RtytjEwzGi1dDRmKVgS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

dock

C2

hakim32.ddns.net:2000

pool-tournaments.gl.at.ply.gg:7445

Mutex

13123c66ee9d74c7936482e0e7d9809f

Attributes
  • reg_key

    13123c66ee9d74c7936482e0e7d9809f

  • splitter

    |'|'|

Targets

    • Target

      a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

    • Size

      93KB

    • MD5

      ceabf00e91c6d219345af40a28da43e8

    • SHA1

      1203c6455e46b4a7007dea71f81849d50e3e48c1

    • SHA256

      a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

    • SHA512

      6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f

    • SSDEEP

      768:AY3XiBD7O/pBcxYsbae6GIXb9pDXQzVMBwXCmXxrjEtCdnl2pi1Rz4Rk3B6sGd0F:PipOx6baIa9RtytjEwzGi1dDRmKVgS

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks