njrat | 8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b | Triage

Sharing

General

Target

8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
Size

140KB
Sample

220329-138lnagbal
MD5

cb88e2a5631c6ef481af0803950c5e00
SHA1

f99b8bf66f2629e313e04e8a4cce7a69758fa647
SHA256

8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
SHA512

9ba281c90ed85b65cfb9cdddb82d7b3e65403fd8869bd15cc65bbe8dbb82bcab2084517e6698942864b8ad018a13666622a90fd2ad97e6ef60ff8993d9da5fb5

Score

10^/10

njrat hacker evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Hacker

C2

192.168.0.22:5552

Mutex

0d122dd52a6e1fabf394b30dede2ed0a

Attributes

reg_key
0d122dd52a6e1fabf394b30dede2ed0a
splitter
|'|'|

Targets

- Target
  
  8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
- Size
  
  140KB
- MD5
  
  cb88e2a5631c6ef481af0803950c5e00
- SHA1
  
  f99b8bf66f2629e313e04e8a4cce7a69758fa647
- SHA256
  
  8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
- SHA512
  
  9ba281c90ed85b65cfb9cdddb82d7b3e65403fd8869bd15cc65bbe8dbb82bcab2084517e6698942864b8ad018a13666622a90fd2ad97e6ef60ff8993d9da5fb5
Score

10^/10

njrat hacker evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackerevasionpersistencetrojan

behavioral2

evasionpersistence