njrat | 531471184d5c8eb4ec97c12059b5bbc8f397b3749033f7fd80405a1b560fbb17 | Triage

Submit
Reports

Overview

overview

Static

static

8

July2020_S...50.doc

windows7_x64

July2020_S...50.doc

windows10_x64

Sharing

General

Target

July2020_SGD894_CODE_850.doc
Size

43KB
Sample

210510-p9dbbphsca
MD5

2a8f04ddc03f8c4db0821275619b55b4
SHA1

8bf21477518f4f33bbd9f1a0f013302be516ea53
SHA256

531471184d5c8eb4ec97c12059b5bbc8f397b3749033f7fd80405a1b560fbb17
SHA512

27eb081ce75ae5015adc7368b109fd82b6fa7dfab627a4faa0a8cc43aa83385f75906e463b1a0cde23490f0274c150578c923c2fe3e9d2eec9e26492fd717c43

Score

10^/10

njrat 2021$$$agilenet evasion macro persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

July2020_SGD894_CODE_850.doc

Resource

win7v20210408

njrat 2021$$$agilenet evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

July2020_SGD894_CODE_850.doc

Resource

win10v20210410

njrat evasion persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://meetthepriestessatl.com/August2020.exe

Extracted

Family

njrat

Version

0.7d

Botnet

2021$$$

C2

194.5.98.210:4040

Mutex

0ef5de3f5b1fb89677ba03e41fa0a05a

Attributes

reg_key
0ef5de3f5b1fb89677ba03e41fa0a05a
splitter
|'|'|

Targets

- Target
  
  July2020_SGD894_CODE_850.doc
- Size
  
  43KB
- MD5
  
  2a8f04ddc03f8c4db0821275619b55b4
- SHA1
  
  8bf21477518f4f33bbd9f1a0f013302be516ea53
- SHA256
  
  531471184d5c8eb4ec97c12059b5bbc8f397b3749033f7fd80405a1b560fbb17
- SHA512
  
  27eb081ce75ae5015adc7368b109fd82b6fa7dfab627a4faa0a8cc43aa83385f75906e463b1a0cde23490f0274c150578c923c2fe3e9d2eec9e26492fd717c43
Score

10^/10

njrat 2021$$$agilenet evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrat2021$$$agilenetevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan

© 2018-2024

Terms | Privacy