njrat | 9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb | Triage

Sharing

General

Target

gtarpcheat.exe
Size

103KB
Sample

211221-y93ymseef6
MD5

c1baf97f7fb46569c697c3d719ad6cec
SHA1

82396f8670a064715b8c1bf6d54b84e3ccc90331
SHA256

9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb
SHA512

17bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb

Score

10^/10

njrat gta rp evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

GTA RP

C2

microsoftsecurityessentials.duckdns.org:1177

Mutex

2d2d20531cddc7f18203ecb28deee8a9

Attributes

reg_key
2d2d20531cddc7f18203ecb28deee8a9
splitter
|'|'|

Targets

- Target
  
  gtarpcheat.exe
- Size
  
  103KB
- MD5
  
  c1baf97f7fb46569c697c3d719ad6cec
- SHA1
  
  82396f8670a064715b8c1bf6d54b84e3ccc90331
- SHA256
  
  9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb
- SHA512
  
  17bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb
Score

10^/10

njrat gta rp evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratgta rpevasionpersistencetrojan

behavioral2

njratgta rpevasionpersistencetrojan