njrat | c8ad2a5b3da748a73f4ba9497f5d7674735f93716b9454fea5db13c7d5d0ee68 | Triage

Sharing

General

Target

8bc16349fad1dd201cf7929eb7ae7fce.exe
Size

1.1MB
Sample

210904-yvebqsedh7
MD5

8bc16349fad1dd201cf7929eb7ae7fce
SHA1

8a4eeb9c27e09c9e970f63731f9137013ad83c19
SHA256

c8ad2a5b3da748a73f4ba9497f5d7674735f93716b9454fea5db13c7d5d0ee68
SHA512

b7fba6f2c4694ff7c48c3b136c37a3f456e1bcf9a5aeb32fcd3eb9b51dcfe2f8ab1c2d0242a6ce0e1f7c75c9fa45d11c6a36ea46cc91e56fcabfa4e966f9f5c3

Score

10^/10

njrat tax_mon_30_08 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

TAX_MON_30_08

C2

37.120.141.158:18892

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  8bc16349fad1dd201cf7929eb7ae7fce.exe
- Size
  
  1.1MB
- MD5
  
  8bc16349fad1dd201cf7929eb7ae7fce
- SHA1
  
  8a4eeb9c27e09c9e970f63731f9137013ad83c19
- SHA256
  
  c8ad2a5b3da748a73f4ba9497f5d7674735f93716b9454fea5db13c7d5d0ee68
- SHA512
  
  b7fba6f2c4694ff7c48c3b136c37a3f456e1bcf9a5aeb32fcd3eb9b51dcfe2f8ab1c2d0242a6ce0e1f7c75c9fa45d11c6a36ea46cc91e56fcabfa4e966f9f5c3
Score

10^/10

evasion persistence trojan njrat tax_mon_30_08
- Windows security bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

njrattax_mon_30_08evasiontrojan