General
-
Target
Lammer.exe
-
Size
23KB
-
Sample
250122-svq3mssnhw
-
MD5
4dce52dbc5ba59345d903b75dc4f5744
-
SHA1
2a60662589763af37112be6f6a106e0cdf9e1ef1
-
SHA256
d363d69f8947b9f5bf764be843fac0fff046bfad8fc11ca742cdf154580af3ec
-
SHA512
c64dc39aeae9a1dcedf9e92528cf5559dd5c8c0ba371e4440306cd475bb0188e94e5c29dfc0f2dfd6a80b0eacb4c27fecf6ead2cab976b64515023a227a3dcdf
-
SSDEEP
384:7QeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZEfk:85yBVd7Rpcnuxk
Malware Config
Extracted
njrat
0.7d
Lammer
station-gps.gl.at.ply.gg:1609
4bb89cc54f6ee116b30b245f35856c5a
-
reg_key
4bb89cc54f6ee116b30b245f35856c5a
-
splitter
|'|'|
Targets
-
-
Target
Lammer.exe
-
Size
23KB
-
MD5
4dce52dbc5ba59345d903b75dc4f5744
-
SHA1
2a60662589763af37112be6f6a106e0cdf9e1ef1
-
SHA256
d363d69f8947b9f5bf764be843fac0fff046bfad8fc11ca742cdf154580af3ec
-
SHA512
c64dc39aeae9a1dcedf9e92528cf5559dd5c8c0ba371e4440306cd475bb0188e94e5c29dfc0f2dfd6a80b0eacb4c27fecf6ead2cab976b64515023a227a3dcdf
-
SSDEEP
384:7QeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZEfk:85yBVd7Rpcnuxk
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1