njrat | b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98 | Triage

Sharing

General

Target

b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
Size

37KB
Sample

211219-r67zvshdbj
MD5

756b5288c29c75f8a689cf1010ddbe25
SHA1

6b0f81673af9c4bb6dc6f7fd275679ebfa46a756
SHA256

b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
SHA512

a515d02bda13ea9b06287a5a73cf08aef0d9907a1800cede4f3e314597264475ceccaa3f4e3c0fe769aaef0ee6f52d1cf1dbb98a80a22a83cd0582159311df8e

Score

10^/10

njrat pidor evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

pidor

C2

8.tcp.ngrok.io:12086:12086

Mutex

1b6ef007d35ce987ac4dec265faa179b

Attributes

reg_key
1b6ef007d35ce987ac4dec265faa179b
splitter
|'|'|

Targets

- Target
  
  b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
- Size
  
  37KB
- MD5
  
  756b5288c29c75f8a689cf1010ddbe25
- SHA1
  
  6b0f81673af9c4bb6dc6f7fd275679ebfa46a756
- SHA256
  
  b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
- SHA512
  
  a515d02bda13ea9b06287a5a73cf08aef0d9907a1800cede4f3e314597264475ceccaa3f4e3c0fe769aaef0ee6f52d1cf1dbb98a80a22a83cd0582159311df8e
Score

10^/10

njrat pidor evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratpidorevasionpersistencetrojan