njrat | 1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034 | Triage

Sharing

General

Target

1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
Size

32KB
Sample

220415-a5jgfaehhq
MD5

5f1f482c1244682a829e224aa40e6de3
SHA1

69d8bf75600c47ca57b2fd89d21d27c2c58365ad
SHA256

1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
SHA512

c2a4ea72edc7f15a1d613cc08f2eee8b343ceae48021c8edccaa79a52f06502c0dad55410d4e92a6592b5fbd2a1b7d9c7f7af480ab0b6f26ee15422b0cdd9738

Score

10^/10

njrat zombie evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Zombie

C2

112.166.177.15:1

Mutex

b7df430e3057c59320a80e9e06fb22b0

Attributes

reg_key
b7df430e3057c59320a80e9e06fb22b0
splitter
|'|'|

Targets

- Target
  
  1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
- Size
  
  32KB
- MD5
  
  5f1f482c1244682a829e224aa40e6de3
- SHA1
  
  69d8bf75600c47ca57b2fd89d21d27c2c58365ad
- SHA256
  
  1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
- SHA512
  
  c2a4ea72edc7f15a1d613cc08f2eee8b343ceae48021c8edccaa79a52f06502c0dad55410d4e92a6592b5fbd2a1b7d9c7f7af480ab0b6f26ee15422b0cdd9738
Score

10^/10

njrat zombie evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratzombieevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan