njrat | 2f1a1876ace64c903d59ad47f1b99fbd622caa4968b238e69bd1d42b7b9b945c | Triage

Submit
Reports

Overview

overview

Static

static

8

TraderansO...1.xlsm

windows7_x64

TraderansO...1.xlsm

windows10_x64

Sharing

General

Target

TraderansOrder-NO-046-202_12072021.xlsm
Size

37KB
Sample

210712-vczwvb5aqa
MD5

f83fd3b81e2017c59108f8b678b0fbfe
SHA1

15a026231075b59abfb4cfabdbfdfb096575d355
SHA256

2f1a1876ace64c903d59ad47f1b99fbd622caa4968b238e69bd1d42b7b9b945c
SHA512

93a6a5803c99be346397a94148de27650413d7b032f5f661c59f8e39153d94d314520dd5b068dbb777038bd46810f5e100bf5b0d5e0a3d41f51a1951e6217dd0

Score

10^/10

njrat 2021$$$agilenet evasion macro persistence trojan xlm

Static task

static1

Behavioral task

behavioral1

Sample

TraderansOrder-NO-046-202_12072021.xlsm

Resource

win7v20210410

njrat 2021$$$agilenet evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TraderansOrder-NO-046-202_12072021.xlsm

Resource

win10v20210408

njrat 2021$$$agilenet evasion persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://iurl.vip/nulvn

Extracted

Family

njrat

Version

0.7d

Botnet

2021$$$

C2

194.5.98.210:4040

Mutex

0ef5de3f5b1fb89677ba03e41fa0a05a

Attributes

reg_key
0ef5de3f5b1fb89677ba03e41fa0a05a
splitter
|'|'|

Targets

- Target
  
  TraderansOrder-NO-046-202_12072021.xlsm
- Size
  
  37KB
- MD5
  
  f83fd3b81e2017c59108f8b678b0fbfe
- SHA1
  
  15a026231075b59abfb4cfabdbfdfb096575d355
- SHA256
  
  2f1a1876ace64c903d59ad47f1b99fbd622caa4968b238e69bd1d42b7b9b945c
- SHA512
  
  93a6a5803c99be346397a94148de27650413d7b032f5f661c59f8e39153d94d314520dd5b068dbb777038bd46810f5e100bf5b0d5e0a3d41f51a1951e6217dd0
Score

10^/10

njrat 2021$$$agilenet evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrat2021$$$agilenetevasionpersistencetrojan

behavioral2

njrat2021$$$agilenetevasionpersistencetrojan

© 2018-2024

Terms | Privacy