njrat | d173b9844be24a9172f2f2adcde3dd65090afa690b1bd952a7da01de33ad60ef | Triage

Submit
Reports

Overview

overview

Static

static

d173b9844b...bd.exe

windows7_x64

1

d173b9844b...bd.exe

windows10_x64

Sharing

General

Target

d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe
Size

4KB
Sample

211105-pths4aghel
MD5

b9a1c7dd8171afe0e3fc1524f5eafb18
SHA1

19b79357841b2bcb3438011f4c8e45f7278aeaa9
SHA256

d173b9844be24a9172f2f2adcde3dd65090afa690b1bd952a7da01de33ad60ef
SHA512

d57c9cf4a489dec1f8b17351173e1ffc202e454f214b85e132fbd5d8af2d4a611e50e1a7f85eb0dfce438539aaec3b143d1fafafbaa0def914f6401c5993da6d

Score

10^/10

njrat nyan cat persistence suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe

Resource

win7-en-20211104

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe

Resource

win10-en-20211014

njrat nyan cat persistence suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

redlan.linkpc.net:5553

Mutex

3b407dd04ed042

Attributes

reg_key
3b407dd04ed042
splitter
@!#&^%$

Targets

- Target
  
  d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe
- Size
  
  4KB
- MD5
  
  b9a1c7dd8171afe0e3fc1524f5eafb18
- SHA1
  
  19b79357841b2bcb3438011f4c8e45f7278aeaa9
- SHA256
  
  d173b9844be24a9172f2f2adcde3dd65090afa690b1bd952a7da01de33ad60ef
- SHA512
  
  d57c9cf4a489dec1f8b17351173e1ffc202e454f214b85e132fbd5d8af2d4a611e50e1a7f85eb0dfce438539aaec3b143d1fafafbaa0def914f6401c5993da6d
Score

10^/10

njrat nyan cat persistence suricata trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njratnyan catpersistencesuricatatrojan

© 2018-2024

Terms | Privacy