njrat | 03b9378b4ab9711d69a10151b1a82a88018d2f910a9111243f1abadfb6a8f7c5 | Triage

Sharing

General

Target

Discord Nitro Generator.exe
Size

5.4MB
Sample

211107-gek1xahee4
MD5

036cf4e0867b7da5d61cca264d383aa7
SHA1

0924c45b9b1eba4060fb67d809813042cde0cd06
SHA256

03b9378b4ab9711d69a10151b1a82a88018d2f910a9111243f1abadfb6a8f7c5
SHA512

e71415ab39f4237a30c3bb83a23aa5474b1d0e1fe424dfe9447d758481e6c1fdc1891a90ab957e47bd6ac9ce8a5c608bc7d518f84a711fef259fcc12b3e27bab

Score

10^/10

njrat white monkey evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

white monkey

C2

127.0.0.1:1177

Mutex

56af94ecf1deb5aa0dab576ea890f3e9

Attributes

reg_key
56af94ecf1deb5aa0dab576ea890f3e9
splitter
|'|'|

Targets

- Target
  
  Discord Nitro Generator.exe
- Size
  
  5.4MB
- MD5
  
  036cf4e0867b7da5d61cca264d383aa7
- SHA1
  
  0924c45b9b1eba4060fb67d809813042cde0cd06
- SHA256
  
  03b9378b4ab9711d69a10151b1a82a88018d2f910a9111243f1abadfb6a8f7c5
- SHA512
  
  e71415ab39f4237a30c3bb83a23aa5474b1d0e1fe424dfe9447d758481e6c1fdc1891a90ab957e47bd6ac9ce8a5c608bc7d518f84a711fef259fcc12b3e27bab
Score

10^/10

njrat white monkey trojan evasion persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratwhite monkeytrojan

behavioral2

njratwhite monkeyevasionpersistencetrojan