njrat | 6d03ac7f036581531299dec4e1dd380bf19e17b88dcf43dcc5a6eae62ab87a6c | Triage

Sharing

General

Target

Twitter Hacking Tool.exe
Size

5.4MB
Sample

211111-22txjsccf4
MD5

c17a1a08f40029c5134c7dfee8855c62
SHA1

aeddeda74af8d0645090be751a8f1a9a389a7fa9
SHA256

6d03ac7f036581531299dec4e1dd380bf19e17b88dcf43dcc5a6eae62ab87a6c
SHA512

b27076e68926b751c3496eb7fb029a0840ca9d630d1b27c6f329cbad789b0c89d2c5453ff519ef165d9cf99a0f2e57905fe08d290084f9d10559d58090bc57d3

Score

10^/10

njrat white monkey evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

white monkey

C2

127.0.0.1:1177

Mutex

56af94ecf1deb5aa0dab576ea890f3e9

Attributes

reg_key
56af94ecf1deb5aa0dab576ea890f3e9
splitter
|'|'|

Targets

- Target
  
  Twitter Hacking Tool.exe
- Size
  
  5.4MB
- MD5
  
  c17a1a08f40029c5134c7dfee8855c62
- SHA1
  
  aeddeda74af8d0645090be751a8f1a9a389a7fa9
- SHA256
  
  6d03ac7f036581531299dec4e1dd380bf19e17b88dcf43dcc5a6eae62ab87a6c
- SHA512
  
  b27076e68926b751c3496eb7fb029a0840ca9d630d1b27c6f329cbad789b0c89d2c5453ff519ef165d9cf99a0f2e57905fe08d290084f9d10559d58090bc57d3
Score

10^/10

njrat white monkey trojan evasion persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratwhite monkeytrojan

behavioral2

njratwhite monkeyevasionpersistencetrojan