Fichier Kimligi
| SHA256 | d259aecd2b2feb2c9304c5e0d7c6f5f00fc7bc2db4cbd876339a39ed2c49f6c2 |
|---|---|
| MD5 | b62d4b0851d859a8140f21074cc3edfb |
| SHA1 | d74b67d4ff94f3d60fc8b2ba62de1da2eb56e9a2 |
| Taille | 15328 byte |
| Tur | /opt/ksentinel/samples/c559ae3589ef6275ab17974827435d17215a4f81b35da976a98299021 |
| Derleme | Inconnu |
| Packer | UPX |
Yetenekler
- Tespit edilemedi (obfuskeli)
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
PE Analizi
Binwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, encrypted compressed size: 15
Famille Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
NjRAT — Profil du malware
njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.
Détails techniques
TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera
Attribution / Acteur de la menace
Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.
Capacités et comportement
Liste IOC (5 indicateurs)
#
d74b67d4ff94f3d60fc8b2ba62de1da2eb56e9a2
# SHA256
d259aecd2b2feb2c9304c5e0d7c6f5f00fc7bc2db4cbd876339a39ed2c49f6c2
# MD5
b62d4b0851d859a8140f21074cc3edfb
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Type | Valeur | Note |
|---|---|---|
| d74b67d4ff94f3d60fc8b2ba62de1da2eb56e9a2 | ||
| sha256 | d259aecd2b2feb2c9304c5e0d7c6f5f00fc7bc2db4cbd876339a39ed2c49f6c2 | |
| md5 | b62d4b0851d859a8140f21074cc3edfb | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
Serveurs C2 (8 serveurs enregistrés pour cette famille)
| Adresse | Type | Port | Protocole | Statut | Pays |
|---|---|---|---|---|---|
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| comodoca.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| comodoca.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.