njrat | 2032f4f31c54a376ba843d105bcc38e057ce52da9f2274d42c6391d308718366 | Triage

Sharing

General

Target

2032f4f31c54a376ba843d105bcc38e057ce52da9f2274d42c6391d308718366
Size

220KB
Sample

210903-k6rvbachc8
MD5

036e2584148eb5111b7e78835dfb22b5
SHA1

a434806f0660f1526600b166291a114496a93f66
SHA256

2032f4f31c54a376ba843d105bcc38e057ce52da9f2274d42c6391d308718366
SHA512

3fd80a96675000e558f05c04a9f60afc8409819d82ab3fb4022cc6e42c951c0b8f20fcd9ff1f75a99575117f538fdcad502424e34f9796d7c41de822bd01d5d8

Score

10^/10

njrat hello evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hello

C2

configpaid.hopto.org:1177

Mutex

2918d83a8048748f66be3a548e28d02b

Attributes

reg_key
2918d83a8048748f66be3a548e28d02b
splitter
|'|'|

Targets

- Target
  
  2032f4f31c54a376ba843d105bcc38e057ce52da9f2274d42c6391d308718366
- Size
  
  220KB
- MD5
  
  036e2584148eb5111b7e78835dfb22b5
- SHA1
  
  a434806f0660f1526600b166291a114496a93f66
- SHA256
  
  2032f4f31c54a376ba843d105bcc38e057ce52da9f2274d42c6391d308718366
- SHA512
  
  3fd80a96675000e558f05c04a9f60afc8409819d82ab3fb4022cc6e42c951c0b8f20fcd9ff1f75a99575117f538fdcad502424e34f9796d7c41de822bd01d5d8
Score

10^/10

njrat hello evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathelloevasionpersistencetrojan

behavioral2

njrathelloevasionpersistencetrojan