njrat | 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5 | Triage

Sharing

General

Target

2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
Size

101KB
Sample

220330-c6dzfsbabq
MD5

73fa54775bec045e8c86793ec7c00dc2
SHA1

5a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
SHA256

2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
SHA512

e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e

Score

10^/10

njrat hacker evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Hacker

C2

192.168.0.22:5552

Mutex

0d122dd52a6e1fabf394b30dede2ed0a

Attributes

reg_key
0d122dd52a6e1fabf394b30dede2ed0a
splitter
|'|'|

Targets

- Target
  
  2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
- Size
  
  101KB
- MD5
  
  73fa54775bec045e8c86793ec7c00dc2
- SHA1
  
  5a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
- SHA256
  
  2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
- SHA512
  
  e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
Score

10^/10

njrat hacker evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackerevasionpersistencetrojan

behavioral2

evasionpersistence