njrat | ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20 | Triage

Sharing

General

Target

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
Size

229KB
Sample

220328-2a8avscahn
MD5

7d276dfb51b873aa1fa8d512a961b8e7
SHA1

0070198c1e94602fdc435a5933990861e9d7836c
SHA256

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
SHA512

11f360bbe72a90c9364fb4f9d8d8659bb82d18745077cb85b08b158bbdabc05735f0b38a4710c42759d2bca23cbbebd0e77159228f8754ac7553ef1ccc05327e

Score

10^/10

njrat system persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

urbanhuman123.duckdns.org:3131

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
- Size
  
  229KB
- MD5
  
  7d276dfb51b873aa1fa8d512a961b8e7
- SHA1
  
  0070198c1e94602fdc435a5933990861e9d7836c
- SHA256
  
  ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
- SHA512
  
  11f360bbe72a90c9364fb4f9d8d8659bb82d18745077cb85b08b158bbdabc05735f0b38a4710c42759d2bca23cbbebd0e77159228f8754ac7553ef1ccc05327e
Score

10^/10

njrat system persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratsystempersistencetrojan

behavioral2

njratsystemtrojan