njrat | a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8 | Triage

Sharing

General

Target

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
Size

83KB
Sample

210907-gxpf2scab6
MD5

7c6290951c89aac232a806d70f72e573
SHA1

0cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA512

9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Score

10^/10

njrat .......celcom evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

.......CELCOM

C2

anunankis1.duckdns.org:1177

Mutex

04404d18b002688e39bb45a634c1a35a

Attributes

reg_key
04404d18b002688e39bb45a634c1a35a
splitter
|'|'|

Targets

- Target
  
  a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
- Size
  
  83KB
- MD5
  
  7c6290951c89aac232a806d70f72e573
- SHA1
  
  0cd2416d39e7e11a7066d12adff69ccd9411b98d
- SHA256
  
  a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
- SHA512
  
  9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
Score

10^/10

njrat .......celcom evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrat.......celcomevasiontrojan

behavioral2

njrat.......celcomevasiontrojan