njrat | 3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

General

Target

3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3
Size

188KB
Sample

220128-yy7gpacdhn
MD5

3b293d74827ff906a5ca3a4e4439e98f
SHA1

76d14a79e2be1543ab79873e7b87f0deee8aad17
SHA256

3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3
SHA512

255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

Score

10^/10

njrat |erica|evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

|Erica|

C2

drpc.duckdns.org:1414

Mutex

48d74fcafbfa01ee33743b0d0ea39495

Attributes

reg_key
48d74fcafbfa01ee33743b0d0ea39495
splitter
TOP

Targets

- Target
  
  3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3
- Size
  
  188KB
- MD5
  
  3b293d74827ff906a5ca3a4e4439e98f
- SHA1
  
  76d14a79e2be1543ab79873e7b87f0deee8aad17
- SHA256
  
  3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3
- SHA512
  
  255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a
Score

10^/10

njrat |erica|evasion persistence suricata trojan
- Registers COM server for autorun
  persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Registers COM server for autorun

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Modifies Windows Firewall

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2