Statik Analiz — NjRAT | YÜKSEK | CVSS: 7.5

Dosya

SHA2565a4ae73d9deab5225bf225fec5f1a1bd92d1e7cded7384e17d4a38528e44389a
MD5841cab2a3109ceb13f2bc33042ff4db7
Dosya5a4ae73d9deab5225bf225fec5f1a1bd92d1e7cded7384e17d4a38528e44389a.exe
Boyut3,082,240 byte
TürPE32+ executable for MS Windows 6.01 (GUI), x86-64, 4 sections
Stringler13,621
PDB: C:\Users\markh\code\mygithub\NAudio\NAudio.Core\obj\Release\netstandard2.0\NAudio.Core.pdb

Bölümler

AdEntropi
UPX06.32
UPX14.44
UPX21.57
.rsrc4.47

IOC

SHA2565a4ae73d9deab5225bf225fec5f1a1bd92d1e7cded7384e17d4a38528e44389a
MD5841cab2a3109ceb13f2bc33042ff4db7
IP4.0.0.0, 2.2.1.0, 17.14.0.0, 2.0.0.0, 18.0.0.0
Domaingithub.com, comodoca.com, 14stddltadxaesshaavxfmaintmapnetgcmreadopensyncfilepipestat.com, system.io, exec.in, system.net, sectigo.com, usertrust.com
Mutexruntime.mutex, eq.sync.RWMutex, sync.RWMutex, poll.fdMutex, eq.sync.Mutex
PDBC:\Users\markh\code\mygithub\NAudio\NAudio.Core\obj\Release\netstandard2.0\NAudio.Core.pdb
C:\Users\markh\code\mygithub\NAudio\NAudio.WinMM\obj\Release\netstandard2.0\NAudio.WinMM.pdb
C:\Users\markh\code\mygithub\NAudio\NAudio.Wasapi\obj\Release\netstandard2.0\NAudio.Wasapi.pdb
C2github.com, comodoca.com, 14stddltadxaesshaavxfmaintmapnetgcmreadopensyncfilepipestat.com, system.io, exec.in

NjRAT — Malware Profile

njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.

Malware Type
RAT
Programming Language
VB.NET
C2 Protocol
TCP (varsayilan port 1177)
Target Systems
Windows
Also Known As (AKA)
Bladabindi, H-Worm, houdini

Technical Details

TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera

Attribution / Threat Actor

Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (23 indicators)

IOC — NjRAT
# IP 4.0.0.0 # IP 2.2.1.0 # IP 17.14.0.0 # IP 2.0.0.0 # IP 18.0.0.0 # DOMAIN github.com # DOMAIN comodoca.com # DOMAIN 14stddltadxaesshaavxfmaintmapnetgcmreadopensyncfilepipestat.com # DOMAIN system.io # DOMAIN exec.in # DOMAIN system.net # DOMAIN sectigo.com # DOMAIN usertrust.com # MUTEX runtime.mutex # MUTEX eq.sync.RWMutex # MUTEX sync.RWMutex # MUTEX poll.fdMutex # MUTEX eq.sync.Mutex # FILEPATH C:\Users\markh\code\mygithub\NAudio\NAudio.Core\obj\Release\netstandard2.0\NAudio.Core.pdb # FILEPATH C:\Users\markh\code\mygithub\NAudio\NAudio.WinMM\obj\Release\netstandard2.0\NAudio.WinMM.pdb # FILEPATH C:\Users\markh\code\mygithub\NAudio\NAudio.Wasapi\obj\Release\netstandard2.0\NAudio.Wasapi.pdb # FILEPATH C:\Users\markh\code\mygithub\NAudio\NAudio.Midi\obj\Release\netstandard2.0\NAudio.Midi.pdb # FILEPATH C:\Users\markh\code\mygithub\NAudio\NAudio.Asio\obj\Release\netstandard2.0\NAudio.Asio.pdb
TypeValueNote
ip 4.0.0.0 C2 aday
ip 2.2.1.0 C2 aday
ip 17.14.0.0 C2 aday
ip 2.0.0.0 C2 aday
ip 18.0.0.0 C2 aday
domain github.com C2 domain
domain comodoca.com C2 domain
domain 14stddltadxaesshaavxfmaintmapnetgcmreadopensyncfilepipestat.com C2 domain
domain system.io C2 domain
domain exec.in C2 domain
domain system.net C2 domain
domain sectigo.com C2 domain
domain usertrust.com C2 domain
mutex runtime.mutex Mutex
mutex eq.sync.RWMutex Mutex
mutex sync.RWMutex Mutex
mutex poll.fdMutex Mutex
mutex eq.sync.Mutex Mutex
filepath C:\Users\markh\code\mygithub\NAudio\NAudio.Core\obj\Release\netstandard2.0\NAudio.Core.pdb PDB
filepath C:\Users\markh\code\mygithub\NAudio\NAudio.WinMM\obj\Release\netstandard2.0\NAudio.WinMM.pdb PDB
filepath C:\Users\markh\code\mygithub\NAudio\NAudio.Wasapi\obj\Release\netstandard2.0\NAudio.Wasapi.pdb PDB
filepath C:\Users\markh\code\mygithub\NAudio\NAudio.Midi\obj\Release\netstandard2.0\NAudio.Midi.pdb PDB
filepath C:\Users\markh\code\mygithub\NAudio\NAudio.Asio\obj\Release\netstandard2.0\NAudio.Asio.pdb PDB

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
system.io domain — TCP active —
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
NjRATmalwarestatik-analizIOC