General
-
Target
Camage.exe
-
Size
6.6MB
-
Sample
250125-slqqhsyjby
-
MD5
e0c3eda8d569e0848eabdae133a6b05e
-
SHA1
f9dcf9fe72740e4fa2f49f4d3012a2ddfa1c3811
-
SHA256
93671abc447ff16f9151bbefe40db894bc2abc2e0a722221bf2cf31840ad37ae
-
SHA512
dc83fee38df142504ad06c656ee929671e8064f28e9a59a26d589d636fc08692a535f990414e982d744eb8b3e8e49833c7cd3c02e3bbd21ff0c78bcadbbd2332
-
SSDEEP
98304:DzLv+e6eh0XWy2u4LhpqIGEB5Okt1QzAFF5Zg51AJE:vLWe6nIrLhHdrQzAFJgDK
Malware Config
Extracted
njrat
0.7d
Lammer
station-gps.gl.at.ply.gg:26933
ded5a8703334377d83da00a864706211
-
reg_key
ded5a8703334377d83da00a864706211
-
splitter
|'|'|
Targets
-
-
Target
Camage.exe
-
Size
6.6MB
-
MD5
e0c3eda8d569e0848eabdae133a6b05e
-
SHA1
f9dcf9fe72740e4fa2f49f4d3012a2ddfa1c3811
-
SHA256
93671abc447ff16f9151bbefe40db894bc2abc2e0a722221bf2cf31840ad37ae
-
SHA512
dc83fee38df142504ad06c656ee929671e8064f28e9a59a26d589d636fc08692a535f990414e982d744eb8b3e8e49833c7cd3c02e3bbd21ff0c78bcadbbd2332
-
SSDEEP
98304:DzLv+e6eh0XWy2u4LhpqIGEB5Okt1QzAFF5Zg51AJE:vLWe6nIrLhHdrQzAFJgDK
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1