njrat | c39e53a8a1d7e702ce379ee016e79448798adcc9ecf57854e0dffdf8e12aebd0 | Triage

Sharing

General

Target

C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
Size

37KB
Sample

210916-vly31adgg5
MD5

4211578cdfacbd2ba17aeca89f127f60
SHA1

d09bb5b348703089849fb0650c24501de5b5d388
SHA256

c39e53a8a1d7e702ce379ee016e79448798adcc9ecf57854e0dffdf8e12aebd0
SHA512

f248df22736ba09d85921c4be09f367dd8960b2144a875799b0ebcbf695c33d0b68eb1df3ea8ec975fd7897a6c3c200e600c3b5fe68fe9ab0bfdae3448880d7a

Score

10^/10

njrat hacked evasion persistence

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

8.tcp.ngrok.io:11658

Mutex

789f05f583cf1829fbeacd099e6f1a6c

Attributes

reg_key
789f05f583cf1829fbeacd099e6f1a6c
splitter
|'|'|

Targets

- Target
  
  C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
- Size
  
  37KB
- MD5
  
  4211578cdfacbd2ba17aeca89f127f60
- SHA1
  
  d09bb5b348703089849fb0650c24501de5b5d388
- SHA256
  
  c39e53a8a1d7e702ce379ee016e79448798adcc9ecf57854e0dffdf8e12aebd0
- SHA512
  
  f248df22736ba09d85921c4be09f367dd8960b2144a875799b0ebcbf695c33d0b68eb1df3ea8ec975fd7897a6c3c200e600c3b5fe68fe9ab0bfdae3448880d7a
Score

8^/10

evasion persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence