Overview

overview

10

Static

static

zrr4Nw19.exe

windows7_x64

10

zrr4Nw19.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zrr4Nw19.exe

  • Size

    28KB

  • Sample

    210102-d6xyjrefbe

  • MD5

    98f22cce467d54a330bbbce9a0261a5a

  • SHA1

    6cbd7608018a7d503e653f444004ca525d90875c

  • SHA256

    7e31b3a603afe3a04745f35987db0d90e2643676b920df2185e11ae06ad32a4f

  • SHA512

    7f2a7afcd1397f3f920da7b7585fdd948cff4b6e7944f83cd1bdc614d3db333a2c5dc2b3c85a61688d8d1e789ffb484425fa619e56d41a266eff2298f98d73f8

Score
10/10
njratfkaevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

FKA

Mutex

15ea4944f270282d46a1f0dd4d332e8f

Attributes
  • reg_key

    15ea4944f270282d46a1f0dd4d332e8f

  • splitter

    |'|'|

Targets

    • Target

      zrr4Nw19.exe

    • Size

      28KB

    • MD5

      98f22cce467d54a330bbbce9a0261a5a

    • SHA1

      6cbd7608018a7d503e653f444004ca525d90875c

    • SHA256

      7e31b3a603afe3a04745f35987db0d90e2643676b920df2185e11ae06ad32a4f

    • SHA512

      7f2a7afcd1397f3f920da7b7585fdd948cff4b6e7944f83cd1bdc614d3db333a2c5dc2b3c85a61688d8d1e789ffb484425fa619e56d41a266eff2298f98d73f8

    Score
    10/10
    njratfkaevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks