njrat | 97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1 | Triage

Sharing

General

Target

97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1
Size

220KB
Sample

210903-k6rvbachc7
MD5

ea9bf7fd66e692a233b8252c9c64a879
SHA1

06f8c1cab06d866b3ed0522b380bf08e866b9f74
SHA256

97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1
SHA512

f4c6d42c6b5b5c429bd5fc36a452ac10a88801f6ff9971b260d9d6256dfdbe2fd40442d2b39dbd8f7a708a7202cfa49d6da1900de23d3b7a094b041da4806437

Score

10^/10

njrat hello evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hello

C2

configpaid.hopto.org:1177

Mutex

2918d83a8048748f66be3a548e28d02b

Attributes

reg_key
2918d83a8048748f66be3a548e28d02b
splitter
|'|'|

Targets

- Target
  
  97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1
- Size
  
  220KB
- MD5
  
  ea9bf7fd66e692a233b8252c9c64a879
- SHA1
  
  06f8c1cab06d866b3ed0522b380bf08e866b9f74
- SHA256
  
  97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1
- SHA512
  
  f4c6d42c6b5b5c429bd5fc36a452ac10a88801f6ff9971b260d9d6256dfdbe2fd40442d2b39dbd8f7a708a7202cfa49d6da1900de23d3b7a094b041da4806437
Score

10^/10

njrat hello evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathelloevasionpersistencetrojan

behavioral2

njrathelloevasionpersistencetrojan