njrat | 327a3182d9600ce08cd59ecbe4b5cee6e49736cb6b02749fd57972007d6bea11 | Triage

Sharing

General

Target

327A3182D9600CE08CD59ECBE4B5CEE6E49736CB6B027.exe
Size

277KB
Sample

210911-n7txvabch6
MD5

12fcd9494fe933014ef9e9d501f815a0
SHA1

6a64df986e28df14268cce47100213d4c5b1ffef
SHA256

327a3182d9600ce08cd59ecbe4b5cee6e49736cb6b02749fd57972007d6bea11
SHA512

b4d82b8931d5b91bcb9a6c0eac238109bd74cfb335ebcaad8753cc5c66859d76fe50731093d9594157a10cc316d59d32a39d5843beb7cd546bbdd0ec95931d4a

Score

10^/10

njrat pc-pc agilenet persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

PC-pc

C2

master1520.duckdns.org:2084

Mutex

Java.exe

Attributes

reg_key
Java.exe
splitter
1234

Targets

- Target
  
  327A3182D9600CE08CD59ECBE4B5CEE6E49736CB6B027.exe
- Size
  
  277KB
- MD5
  
  12fcd9494fe933014ef9e9d501f815a0
- SHA1
  
  6a64df986e28df14268cce47100213d4c5b1ffef
- SHA256
  
  327a3182d9600ce08cd59ecbe4b5cee6e49736cb6b02749fd57972007d6bea11
- SHA512
  
  b4d82b8931d5b91bcb9a6c0eac238109bd74cfb335ebcaad8753cc5c66859d76fe50731093d9594157a10cc316d59d32a39d5843beb7cd546bbdd0ec95931d4a
Score

10^/10

njrat pc-pc agilenet persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratpc-pcagilenetpersistencetrojan

behavioral2

njratpc-pcagilenetpersistencetrojan