njrat | 877453c0e614e732eb9ee378693cf92263d2373e09c8287e3a4a821ecee29764 | Triage

Sharing

General

Target

877453c0e614e732eb9ee378693cf92263d2373e09c8287e3a4a821ecee29764
Size

188KB
Sample

220128-yk7kjacdf6
MD5

4bd6f8de8320169b364ac916e818ce80
SHA1

c6ad19d174d06cdc1edf50551daaa5aee0559e66
SHA256

877453c0e614e732eb9ee378693cf92263d2373e09c8287e3a4a821ecee29764
SHA512

1d6342f7b1c79f157b57fc2b32e4bfe63d9466e100bb43c5377e5038800417c1dae2ae925fbe369199f394fa405e71ed860202e8b027f59789e7fbea5ea8a7a1

Score

10^/10

njrat c.d.t 3xp101t clean evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

C.D.T 3XP101T CLEAN

C2

olhomagicocdt.duckdns.org:5552

Mutex

3febdbb44d130842434a177a4471f31e

Attributes

reg_key
3febdbb44d130842434a177a4471f31e
splitter
|'|'|

Targets

- Target
  
  877453c0e614e732eb9ee378693cf92263d2373e09c8287e3a4a821ecee29764
- Size
  
  188KB
- MD5
  
  4bd6f8de8320169b364ac916e818ce80
- SHA1
  
  c6ad19d174d06cdc1edf50551daaa5aee0559e66
- SHA256
  
  877453c0e614e732eb9ee378693cf92263d2373e09c8287e3a4a821ecee29764
- SHA512
  
  1d6342f7b1c79f157b57fc2b32e4bfe63d9466e100bb43c5377e5038800417c1dae2ae925fbe369199f394fa405e71ed860202e8b027f59789e7fbea5ea8a7a1
Score

10^/10

njrat c.d.t 3xp101t clean evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratc.d.t 3xp101t cleanevasionpersistencetrojan

behavioral2

njratc.d.t 3xp101t cleanevasionpersistencetrojan