njrat | 9703bf9f3b22e8a8cd3b2797a2da5a48d326c9dde57dbe4481b6cbc634b81f04 | Triage

Sharing

General

Target

Twitter Crack.exe
Size

5.4MB
Sample

211023-z2qtsacde8
MD5

87e2016d2af2214bb8bd71b20adcecb4
SHA1

95e0c972f66ae2c0a6ffd41bf4aaeb24e6e567b1
SHA256

9703bf9f3b22e8a8cd3b2797a2da5a48d326c9dde57dbe4481b6cbc634b81f04
SHA512

b38ab45feaa97b689c11301e968c8b6087fa8513409fd0d517ff7d2d86ae9ca104e7d577c80cfb53fb87ddff684146326665385208674790220bcf5a19d6e81d

Score

10^/10

njrat white monkey evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

white monkey

C2

127.0.0.1:1177

Mutex

56af94ecf1deb5aa0dab576ea890f3e9

Attributes

reg_key
56af94ecf1deb5aa0dab576ea890f3e9
splitter
|'|'|

Targets

- Target
  
  Twitter Crack.exe
- Size
  
  5.4MB
- MD5
  
  87e2016d2af2214bb8bd71b20adcecb4
- SHA1
  
  95e0c972f66ae2c0a6ffd41bf4aaeb24e6e567b1
- SHA256
  
  9703bf9f3b22e8a8cd3b2797a2da5a48d326c9dde57dbe4481b6cbc634b81f04
- SHA512
  
  b38ab45feaa97b689c11301e968c8b6087fa8513409fd0d517ff7d2d86ae9ca104e7d577c80cfb53fb87ddff684146326665385208674790220bcf5a19d6e81d
Score

10^/10

njrat white monkey trojan evasion persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratwhite monkeytrojan

behavioral2

njratwhite monkeyevasionpersistencetrojan