njrat | fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407 | Triage

Sharing

General

Target

e56578ff67914010aa9f663876b66c4a
Size

37KB
Sample

220114-tls2bahdem
MD5

e56578ff67914010aa9f663876b66c4a
SHA1

802b5d9f5be9fb8213b97567ebc1910e85ddd20f
SHA256

fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407
SHA512

756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Score

10^/10

njrat furios evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Furios

C2

gghosting221.ddns.net:6202

Mutex

5f458dd5f03f50e31781ca69de125d55

Attributes

reg_key
5f458dd5f03f50e31781ca69de125d55
splitter
|'|'|

Targets

- Target
  
  e56578ff67914010aa9f663876b66c4a
- Size
  
  37KB
- MD5
  
  e56578ff67914010aa9f663876b66c4a
- SHA1
  
  802b5d9f5be9fb8213b97567ebc1910e85ddd20f
- SHA256
  
  fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407
- SHA512
  
  756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3
Score

10^/10

njrat furios evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratfuriosevasionpersistencetrojan

behavioral2