njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.
Malware Type
RAT
Programming Language
VB.NET
C2 Protocol
TCP (varsayilan port 1177)
Target Systems
Windows
Also Known As (AKA)
Bladabindi, H-Worm, houdini
Technical Details
TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera
Attribution / Threat Actor
Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List
(28 indicators)
IOC — NjRAT
# IP
4.2.1.0
# IP
3.5.0.0
# IP
1.0.119.0
# IP
1.4.2.13
# IP
4.0.0.0
# IP
9.0.0.0
# IP
8.0.0.0
# IP
2.1.0.0
# IP
1.0.0.0
# IP
6.0.0.0
# DOMAIN
github.com
# DOMAIN
system.net
# DOMAIN
esystem.io
# DOMAIN
json.net
# DOMAIN
dll8system.net
# DOMAIN
vsystem.net
# DOMAIN
instance.in
# DOMAIN
sqlite.org
# DOMAIN
xmlsoap.org
# DOMAIN
bsystem.net
# MUTEX
SQLITE_OPEN_NOMUTEX
# MUTEX
SQLITE_CONFIG_MUTEX
# MUTEX
_receiveMutex
# MUTEX
COR_E_ABANDONEDMUTEX
# MUTEX
ReleaseMutex
# FILEPATH
D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb
# FILEPATH
D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb
# FILEPATH
C:\dev\sqlite\dotnet-private\System.Data.SQLite\obj\Release\netstandard2.1\System.Data.SQLite.pdb