njrat | 3f9c4d9047bbdb5f2c575c11c9b7d43e94a8053ec7a03318ce82fcac84d74b14 | Triage

Sharing

General

Target

b9c6c9838b6c8f0ee4142de9a4a15d79
Size

31KB
Sample

201214-zd126kvyq6
MD5

b9c6c9838b6c8f0ee4142de9a4a15d79
SHA1

0b8facf9ac1e2c02f2cc719019e8f19225d25447
SHA256

3f9c4d9047bbdb5f2c575c11c9b7d43e94a8053ec7a03318ce82fcac84d74b14
SHA512

9aed75440268b61717356c9fec17022d5a08badc73036100b17437c2d959cc4fbd76cd13b1316c79a09c46a877939da40f1d0611fa6fa6915495eb0ae228fe0b

Score

10^/10

njrat sqli dumper evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SQLi Dumper

C2

osbios.net:3129

Mutex

b3bb675697aae6a94367e8803b763fc4

Attributes

reg_key
b3bb675697aae6a94367e8803b763fc4
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  b9c6c9838b6c8f0ee4142de9a4a15d79
- Size
  
  31KB
- MD5
  
  b9c6c9838b6c8f0ee4142de9a4a15d79
- SHA1
  
  0b8facf9ac1e2c02f2cc719019e8f19225d25447
- SHA256
  
  3f9c4d9047bbdb5f2c575c11c9b7d43e94a8053ec7a03318ce82fcac84d74b14
- SHA512
  
  9aed75440268b61717356c9fec17022d5a08badc73036100b17437c2d959cc4fbd76cd13b1316c79a09c46a877939da40f1d0611fa6fa6915495eb0ae228fe0b
Score

10^/10

njrat sqli dumper evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratsqli dumperevasionpersistencetrojan

behavioral2

njratsqli dumperevasionpersistencetrojan