njrat | eb7b4bb8bdbd8f176f035ffaa55c607595638cc289ceca5e4df9636a70f517e0 | Triage

Sharing

General

Target

f3b94012_extracted
Size

23KB
Sample

210304-cryqftxrg2
MD5

c7dbecf69ab308b7fd2c863f2d52fc03
SHA1

8b61bd4e0c169dd50c5c84936f8d2d2b9b9ef2cb
SHA256

eb7b4bb8bdbd8f176f035ffaa55c607595638cc289ceca5e4df9636a70f517e0
SHA512

f06e545169903bf42886e9cc20a9e7b722a713460df64312de46bf35b29b5b1099f44f6f95b1f17c0e86dbe18705cfd2394abcda35e83672776a89cb08152751

Score

10^/10

njrat $$$$$$fucking evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

$$$$$$Fucking

C2

whmfix009.cf:5409

Mutex

f6a7c83d337d940f548e06019597f0a2

Attributes

reg_key
f6a7c83d337d940f548e06019597f0a2
splitter
|'|'|

Targets

- Target
  
  f3b94012_extracted
- Size
  
  23KB
- MD5
  
  c7dbecf69ab308b7fd2c863f2d52fc03
- SHA1
  
  8b61bd4e0c169dd50c5c84936f8d2d2b9b9ef2cb
- SHA256
  
  eb7b4bb8bdbd8f176f035ffaa55c607595638cc289ceca5e4df9636a70f517e0
- SHA512
  
  f06e545169903bf42886e9cc20a9e7b722a713460df64312de46bf35b29b5b1099f44f6f95b1f17c0e86dbe18705cfd2394abcda35e83672776a89cb08152751
Score

10^/10

njrat $$$$$$fucking evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrat$$$$$$fuckingevasionpersistencetrojan

behavioral2

njrat$$$$$$fuckingevasionpersistencetrojan