General

  • Target

    Fps0ptimizer_ByKartavik.exe

  • Size

    93KB

  • Sample

    241227-mn3j7svjgk

  • MD5

    1a5e53bb0bcbcbb680fbb54a55a1c630

  • SHA1

    5d420fbdfa84f3828ccbfa7ca1709edaddd22839

  • SHA256

    865d9448dab0a512e40d8cf95d83cccdc9bb32806466d5ae3d2a30301f299a80

  • SHA512

    1dcd0ac4af1b16770bf163060838f33fe534762d5b4e42d83c9733cdaaf827852a14f18bbccb4c802ef87f8fa3d39707a96bcc60e40e73b23043371a9537495a

  • SSDEEP

    1536:HemC+xhUa9urgOB9mNvM4jEwzGi1dDYDLgS:HegUa9urgOidGi1dmE

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

0.tcp.eu.ngrok.io:19331

Mutex

48a41a18500fb55c8cc19095299f8b6a

Attributes
  • reg_key

    48a41a18500fb55c8cc19095299f8b6a

  • splitter

    |'|'|

Targets

    • Target

      Fps0ptimizer_ByKartavik.exe

    • Size

      93KB

    • MD5

      1a5e53bb0bcbcbb680fbb54a55a1c630

    • SHA1

      5d420fbdfa84f3828ccbfa7ca1709edaddd22839

    • SHA256

      865d9448dab0a512e40d8cf95d83cccdc9bb32806466d5ae3d2a30301f299a80

    • SHA512

      1dcd0ac4af1b16770bf163060838f33fe534762d5b4e42d83c9733cdaaf827852a14f18bbccb4c802ef87f8fa3d39707a96bcc60e40e73b23043371a9537495a

    • SSDEEP

      1536:HemC+xhUa9urgOB9mNvM4jEwzGi1dDYDLgS:HegUa9urgOidGi1dmE

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks