General
-
Target
22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4
-
Size
505KB
-
Sample
250119-w6wdaaznhs
-
MD5
af5e353de273a7b6f8b381b0c587a730
-
SHA1
7c4d908a23eff944247f82469517ddc1164f4ae0
-
SHA256
22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4
-
SHA512
2a20b193dcd292b2325030476ed9e89c947a658e0d5a059d3fb8ed3197d7fe546172e69323806dbc7936390caac12791f1592f1440053dca0c4e6170218e50cd
-
SSDEEP
12288:/LMEalqxXblqoRX5qbfphLxaOSoSDiFJ9e6sXr:zqaXNabfphLxaVpDir46sb
Malware Config
Extracted
njrat
0.7d
Lammer
ie-serving.gl.at.ply.gg:18976
d386661cfe8f30c3a692533641b57806
-
reg_key
d386661cfe8f30c3a692533641b57806
-
splitter
|'|'|
Targets
-
-
Target
22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4
-
Size
505KB
-
MD5
af5e353de273a7b6f8b381b0c587a730
-
SHA1
7c4d908a23eff944247f82469517ddc1164f4ae0
-
SHA256
22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4
-
SHA512
2a20b193dcd292b2325030476ed9e89c947a658e0d5a059d3fb8ed3197d7fe546172e69323806dbc7936390caac12791f1592f1440053dca0c4e6170218e50cd
-
SSDEEP
12288:/LMEalqxXblqoRX5qbfphLxaOSoSDiFJ9e6sXr:zqaXNabfphLxaVpDir46sb
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1