njrat | 0f9a62ff1c6cd64e3f114e61890c62c3e7ac67f1b96010e0d5017386aae9d845 | Triage

Sharing

General

Target

a8535d5778f0d6177d4a0f6623ae7ad5.exe
Size

37KB
Sample

211111-bqnchsaee3
MD5

a8535d5778f0d6177d4a0f6623ae7ad5
SHA1

a45fdd4f8b93faf01e70a3635d3ea0dd8ffd9d52
SHA256

0f9a62ff1c6cd64e3f114e61890c62c3e7ac67f1b96010e0d5017386aae9d845
SHA512

c5d3d52329f6147c4688970efdeb3a2ef7f491c4ebd9f78598557f08aa039a6fadd194e6a76edd9d931d493c3fb6f65c787002f08f8c57db52c67de0f766f0b5

Score

10^/10

njrat hacked evasion persistence

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

0.tcp.ngrok.io:16936

Mutex

6522a3fb379b191d0e0a5738f031acf1

Attributes

reg_key
6522a3fb379b191d0e0a5738f031acf1
splitter
|'|'|

Targets

- Target
  
  a8535d5778f0d6177d4a0f6623ae7ad5.exe
- Size
  
  37KB
- MD5
  
  a8535d5778f0d6177d4a0f6623ae7ad5
- SHA1
  
  a45fdd4f8b93faf01e70a3635d3ea0dd8ffd9d52
- SHA256
  
  0f9a62ff1c6cd64e3f114e61890c62c3e7ac67f1b96010e0d5017386aae9d845
- SHA512
  
  c5d3d52329f6147c4688970efdeb3a2ef7f491c4ebd9f78598557f08aa039a6fadd194e6a76edd9d931d493c3fb6f65c787002f08f8c57db52c67de0f766f0b5
Score

8^/10

evasion persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence