njrat | d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8 | Triage

Sharing

General

Target

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8
Size

406KB
Sample

220203-shqw4sahhr
MD5

27618e24c576d88396237132b13e0b7a
SHA1

5c7055878d8dd12a8bff678194f054ba74328a28
SHA256

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8
SHA512

37250461692acc1cd34a0f406d8eb1b3043c06afdb91b598cecf19dbdac95f909c9cb36246a730fdfd215aabcb8af21529e96431e70a2cb3a5c2487945010055

Score

10^/10

njrat hack persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hack

C2

medalwaely.no-ip.biz:1177

Mutex

09b4965ef3d07401b926a3a4b3383a3f

Attributes

reg_key
09b4965ef3d07401b926a3a4b3383a3f
splitter
|'|'|

Targets

- Target
  
  d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8
- Size
  
  406KB
- MD5
  
  27618e24c576d88396237132b13e0b7a
- SHA1
  
  5c7055878d8dd12a8bff678194f054ba74328a28
- SHA256
  
  d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8
- SHA512
  
  37250461692acc1cd34a0f406d8eb1b3043c06afdb91b598cecf19dbdac95f909c9cb36246a730fdfd215aabcb8af21529e96431e70a2cb3a5c2487945010055
Score

10^/10

njrat hack trojan persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathacktrojan

behavioral2