njrat | e75d73d4285e729b6644cad6ef5249e83ac4d15bdb212ff92dff92839febd9db | Triage

Sharing

General

Target

e75d73d4285e729b6644cad6ef5249e83ac4d15bdb212ff92dff92839febd9db
Size

12.5MB
Sample

220502-w7htksffem
MD5

64e88cad09d0da9bb397a056f90d9adf
SHA1

b3d3222634709435c8a2fb3d1b76561c6511a820
SHA256

e75d73d4285e729b6644cad6ef5249e83ac4d15bdb212ff92dff92839febd9db
SHA512

ba75376d10fe753c572024d6b8ddf7a2dc73c050ea213ae36244e19b740626ad3e227319b4269d19a35c9a4ae211b116360cc9ae676adcc737fa1104018916a5

Score

10^/10

njrat hello evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hello

C2

milla.publicvm.com:1177

Mutex

db40d702d5d21769acc53920e635c9cf

Attributes

reg_key
db40d702d5d21769acc53920e635c9cf
splitter
|'|'|

Targets

- Target
  
  e75d73d4285e729b6644cad6ef5249e83ac4d15bdb212ff92dff92839febd9db
- Size
  
  12.5MB
- MD5
  
  64e88cad09d0da9bb397a056f90d9adf
- SHA1
  
  b3d3222634709435c8a2fb3d1b76561c6511a820
- SHA256
  
  e75d73d4285e729b6644cad6ef5249e83ac4d15bdb212ff92dff92839febd9db
- SHA512
  
  ba75376d10fe753c572024d6b8ddf7a2dc73c050ea213ae36244e19b740626ad3e227319b4269d19a35c9a4ae211b116360cc9ae676adcc737fa1104018916a5
Score

10^/10

njrat hello evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathelloevasiontrojan

behavioral2

njratevasiontrojan