njrat | 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f | Triage

Submit
Reports

Overview

overview

Static

static

8a1b2f098d...1f.exe

windows7_x64

8a1b2f098d...1f.exe

windows10-2004_x64

8

Sharing

General

Target

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
Size

332KB
Sample

220203-tdyxlabecj
MD5

349d353065a260a6cb340666ae9d5f06
SHA1

049c76e212e1e7368c368eb1b47bf18df84f2d61
SHA256

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
SHA512

ecd932d518ef32d2c6c25927c9f0298ab380651078df8b3c837ad7027875574b9bb2764f9ac22bc30d65f816313dbf77554b688bcbaec5a1519c0fa6f1fe5293

Score

10^/10

njrat victime evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe

Resource

win7-en-20211208

njrat victime evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe

Resource

win10v2004-en-20220112

evasion persistence

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victime

C2

kouji.ddns.net:1177

Mutex

3c8548e6ad9ecf00a0a44c81e84745f1

Attributes

reg_key
3c8548e6ad9ecf00a0a44c81e84745f1
splitter
|'|'|

Targets

- Target
  
  8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
- Size
  
  332KB
- MD5
  
  349d353065a260a6cb340666ae9d5f06
- SHA1
  
  049c76e212e1e7368c368eb1b47bf18df84f2d61
- SHA256
  
  8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
- SHA512
  
  ecd932d518ef32d2c6c25927c9f0298ab380651078df8b3c837ad7027875574b9bb2764f9ac22bc30d65f816313dbf77554b688bcbaec5a1519c0fa6f1fe5293
Score

10^/10

njrat victime evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratvictimeevasionpersistencetrojan

behavioral2

evasionpersistence

© 2018-2024

Terms | Privacy