njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.
Malware Type
RAT
Programming Language
VB.NET
C2 Protocol
TCP (varsayilan port 1177)
Target Systems
Windows
Also Known As (AKA)
Bladabindi, H-Worm, houdini
Technical Details
TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera
Attribution / Threat Actor
Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List
(27 indicators)
IOC — NjRAT
# IP
1.2.1.24
# IP
2.0.2.0
# IP
110.2.0.0
# IP
9.0.0.0
# IP
4.0.0.0
# IP
4.2.0.0
# IP
8.0.0.0
# IP
3.0.0.0
# IP
1.16.0.0
# IP
13.0.0.0
# DOMAIN
github.com
# DOMAIN
microsoft.net
# DOMAIN
nuget.org
# DOMAIN
system.io
# DOMAIN
system.net
# DOMAIN
discordrpc.io
# DOMAIN
microsoft.com
# DOMAIN
newtonsoft.com
# DOMAIN
digicert.com
# DOMAIN
codeplex.com
# MUTEX
SafeWaitForMutex
# MUTEX
TryAcquireMutex
# MUTEX
ReleaseMutex
# FILEPATH
D:\GitHub\CommonFileDialogs\src\CommonFileDialogs\obj\Release\net6.0-windows\WindowsAPICodePack.Shell.CommonFileDialogs.pdb
# FILEPATH
C:\projects\serilog-sinks-file\src\Serilog.Sinks.File\obj\Release\net8.0\Serilog.Sinks.File.pdb
# FILEPATH
C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\netcoreapp3.0\WpfAnimatedGif.pdb
# FILEPATH
D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb