njrat | 4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350 | Triage

Submit
Reports

Overview

overview

Static

static

ZAgNhZBG.exe

windows7_x64

ZAgNhZBG.exe

windows10_x64

Sharing

General

Target

ZAgNhZBG.exe
Size

23KB
Sample

201221-dp5bj79tvx
MD5

5859e656d5735eb9a1eeae9a94a3cc16
SHA1

85c1ab9c6fe450a83fb2cc1681b45272020ce5a6
SHA256

4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA512

8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68

Score

10^/10

njrat hacked evasion persistence spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

ZAgNhZBG.exe

Resource

win7v20201028

njrat hacked evasion persistence spyware stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ZAgNhZBG.exe

Resource

win10v20201028

njrat hacked evasion persistence spyware stealer trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

xoruf.ddns.net:5552

Mutex

d8f3c9bf39e889408d972a936cea46cc

Attributes

reg_key
d8f3c9bf39e889408d972a936cea46cc
splitter
@!#&^%$

Targets

- Target
  
  ZAgNhZBG.exe
- Size
  
  23KB
- MD5
  
  5859e656d5735eb9a1eeae9a94a3cc16
- SHA1
  
  85c1ab9c6fe450a83fb2cc1681b45272020ce5a6
- SHA256
  
  4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
- SHA512
  
  8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
Score

10^/10

njrat hacked evasion persistence spyware stealer trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencespywarestealertrojanupx

behavioral2

njrathackedevasionpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy