njrat | ef80911a7277a02a9e4945928bcd28d26459ef7cf025942cab50cb6b3603cff0 | Triage

Sharing

General

Target

ef80911a7277a02a9e4945928bcd28d26459ef7cf025942cab50cb6b3603cff0
Size

466KB
Sample

220415-clv28sghem
MD5

bf4b6012252cf883829f410e1046e42a
SHA1

97309564ffa34201b2546dd8350e24820505c487
SHA256

ef80911a7277a02a9e4945928bcd28d26459ef7cf025942cab50cb6b3603cff0
SHA512

738f63608b14936519ba93e822b957dc1eb17978f05a9cba5eb62ce9c306346d4aa3456ef21daa93751aafbee54916e7ca2a1cde8ea9fad2bf2ec36eb52bad47

Score

10^/10

njrat hacker evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hacker

C2

gigilolo.hopto.org:6522

Mutex

c87073769504f742f7bb00ba65dd12f1

Attributes

reg_key
c87073769504f742f7bb00ba65dd12f1
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  ef80911a7277a02a9e4945928bcd28d26459ef7cf025942cab50cb6b3603cff0
- Size
  
  466KB
- MD5
  
  bf4b6012252cf883829f410e1046e42a
- SHA1
  
  97309564ffa34201b2546dd8350e24820505c487
- SHA256
  
  ef80911a7277a02a9e4945928bcd28d26459ef7cf025942cab50cb6b3603cff0
- SHA512
  
  738f63608b14936519ba93e822b957dc1eb17978f05a9cba5eb62ce9c306346d4aa3456ef21daa93751aafbee54916e7ca2a1cde8ea9fad2bf2ec36eb52bad47
Score

10^/10

njrat hacker evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackerevasionpersistencetrojan

behavioral2

njrathackertrojan