njrat | f22439962187e053f6a5dfa280d3ac2e3448ca470edd5c13f062d5ba1764381b | Triage

Sharing

General

Target

f22439962187e053f6a5dfa280d3ac2e3448ca470edd5c13f062d5ba1764381b
Size

811KB
Sample

201109-s3rrnqaqtx
MD5

d140c7ba47d3d994ae02e4f7aa745f8d
SHA1

373b96a1698d8763bf0a1dee8c50d030eaab33bd
SHA256

f22439962187e053f6a5dfa280d3ac2e3448ca470edd5c13f062d5ba1764381b
SHA512

82830dd11fcc0b0647c6db52a2c05b70bb94d1ba3d806f42a64f2ef32c02e2e7e54dba383853bec9316530a445f3b2fedca758f8cd68d089bc8f7ee9622f1540

Score

10^/10

njrat zombie evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

zombie

C2

211.47.116.45:1

Mutex

62b4d621e32d06845b707d4f428bee85

Attributes

reg_key
62b4d621e32d06845b707d4f428bee85
splitter
|'|'|

Targets

- Target
  
  f22439962187e053f6a5dfa280d3ac2e3448ca470edd5c13f062d5ba1764381b
- Size
  
  811KB
- MD5
  
  d140c7ba47d3d994ae02e4f7aa745f8d
- SHA1
  
  373b96a1698d8763bf0a1dee8c50d030eaab33bd
- SHA256
  
  f22439962187e053f6a5dfa280d3ac2e3448ca470edd5c13f062d5ba1764381b
- SHA512
  
  82830dd11fcc0b0647c6db52a2c05b70bb94d1ba3d806f42a64f2ef32c02e2e7e54dba383853bec9316530a445f3b2fedca758f8cd68d089bc8f7ee9622f1540
Score

10^/10

njrat zombie evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratzombieevasionpersistencetrojan

behavioral2

njratzombieevasionpersistencetrojan