Overview

overview

10

Static

static

rTay7rkg.exe

windows7_x64

10

rTay7rkg.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rTay7rkg.exe

  • Size

    23KB

  • Sample

    201120-5kxml3lh1e

  • MD5

    b3c9f88e4582e86a1d7bb0e8cfa0299f

  • SHA1

    63fb8cc77150d8e672279907259c4da4b69a5651

  • SHA256

    14dab534b57de16260131063371f80155f250eabfcab9caaf3f6785a64f0bae5

  • SHA512

    7749cc3f9a8d8c6ee19e8743028cc97a9d6b1e9e15b8fa2fae1264b4f90130b0ed22f0e583477b6bd01b6061ca748b1f22efb0347b69279b621d76193f300734

Score
10/10
njratbouffonevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bouffon

C2

njrat93.hopto.org:5554

Mutex

922bd43c3c9463391bee6d7111ec98ad

Attributes
  • reg_key

    922bd43c3c9463391bee6d7111ec98ad

  • splitter

    |'|'|

Targets

    • Target

      rTay7rkg.exe

    • Size

      23KB

    • MD5

      b3c9f88e4582e86a1d7bb0e8cfa0299f

    • SHA1

      63fb8cc77150d8e672279907259c4da4b69a5651

    • SHA256

      14dab534b57de16260131063371f80155f250eabfcab9caaf3f6785a64f0bae5

    • SHA512

      7749cc3f9a8d8c6ee19e8743028cc97a9d6b1e9e15b8fa2fae1264b4f90130b0ed22f0e583477b6bd01b6061ca748b1f22efb0347b69279b621d76193f300734

    Score
    10/10
    njratbouffonevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks