njrat | 14c3d06f79c7518433e2baef8a920a310393b394b219241ff8e88a7ed7c7a07a

General

Target

INVOICE PAID.vbs
Size

7KB
Sample

210922-vzwj2adcf7
MD5

faadd040a36132904b0b44ce8acb801a
SHA1

34e16916fce2e1a3465a8b571ca0d970509317c3
SHA256

14c3d06f79c7518433e2baef8a920a310393b394b219241ff8e88a7ed7c7a07a
SHA512

93476f94af989f26204a3811c10a827f4d3e2a8ded6372b169a8849b2acaaa831b9245e6e67d715ac9d7ee23a3f9c743094a13cde6f185c5e75bd69ef8734bd4

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.112.210.240/nnnnnnnnnnnnnnnnjbypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

103.156.92.140:5489

Mutex

b9bcbd71b3095eaa1d613e7db66ba013

Attributes

reg_key
b9bcbd71b3095eaa1d613e7db66ba013
splitter
|'|'|

Targets

- Target
  
  INVOICE PAID.vbs
- Size
  
  7KB
- MD5
  
  faadd040a36132904b0b44ce8acb801a
- SHA1
  
  34e16916fce2e1a3465a8b571ca0d970509317c3
- SHA256
  
  14c3d06f79c7518433e2baef8a920a310393b394b219241ff8e88a7ed7c7a07a
- SHA512
  
  93476f94af989f26204a3811c10a827f4d3e2a8ded6372b169a8849b2acaaa831b9245e6e67d715ac9d7ee23a3f9c743094a13cde6f185c5e75bd69ef8734bd4
Score

10^/10

njrat hacked evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

njRAT/Bladabindi

Blocklisted process makes network request

Modifies Windows Firewall

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2