njrat | 12a274ddd6b7467b4e9374d80a3d3fd4e8cfc576da550801adf0bc6b6617bb07 | Triage

Sharing

General

Target

PO-16065.exe
Size

840KB
Sample

210901-42jnfbs5zs
MD5

0e6d1a1750ba2e5607f3a4c30cd4d3fd
SHA1

83ead02316dd86eda8b44a447e3f6760cd8c7a19
SHA256

12a274ddd6b7467b4e9374d80a3d3fd4e8cfc576da550801adf0bc6b6617bb07
SHA512

41af1c39d0f9d4f9dc66f620b5bf834055be68313f80f2d9c6243732d0f592e53fbe5530ff8d1b3a7260e4ae40235f83116b5d6f5f068f6a18ac6d3328ba218f

Score

10^/10

njrat punk evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

punk

C2

percolysrl2.ddns.net:4030

Mutex

a638e19e1811dec878802351e21c12c8

Attributes

reg_key
a638e19e1811dec878802351e21c12c8
splitter
|'|'|

Targets

- Target
  
  PO-16065.exe
- Size
  
  840KB
- MD5
  
  0e6d1a1750ba2e5607f3a4c30cd4d3fd
- SHA1
  
  83ead02316dd86eda8b44a447e3f6760cd8c7a19
- SHA256
  
  12a274ddd6b7467b4e9374d80a3d3fd4e8cfc576da550801adf0bc6b6617bb07
- SHA512
  
  41af1c39d0f9d4f9dc66f620b5bf834055be68313f80f2d9c6243732d0f592e53fbe5530ff8d1b3a7260e4ae40235f83116b5d6f5f068f6a18ac6d3328ba218f
Score

10^/10

njrat punk evasion persistence suricata trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- Modifies Windows Firewall
  evasion
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratpunkevasionpersistencesuricatatrojan

behavioral2

njratpunkevasionpersistencesuricatatrojan