njrat | 075cf082102b2ffe2fa7af3c419b08364779c56cf89e77be422d5f0ea3470bf8 | Triage

Sharing

General

Target

075cf082102b2ffe2fa7af3c419b08364779c56cf89e77be422d5f0ea3470bf8
Size

12.5MB
Sample

220502-w8rswafgak
MD5

9f724dd7dd271cb49f4535211c0fd78c
SHA1

637bc473ecf9e16f83e8093916ae24f2c6242885
SHA256

075cf082102b2ffe2fa7af3c419b08364779c56cf89e77be422d5f0ea3470bf8
SHA512

323b03c7eec9dc175b3274bba87b03204f7730940261c80d91d5f83189e5a248efb380b5536e4b61bcb6661ba96b674ce5322482a80d2ec27349d962c67b01d4

Score

10^/10

njrat hello evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hello

C2

milla.publicvm.com:1177

Mutex

db40d702d5d21769acc53920e635c9cf

Attributes

reg_key
db40d702d5d21769acc53920e635c9cf
splitter
|'|'|

Targets

- Target
  
  075cf082102b2ffe2fa7af3c419b08364779c56cf89e77be422d5f0ea3470bf8
- Size
  
  12.5MB
- MD5
  
  9f724dd7dd271cb49f4535211c0fd78c
- SHA1
  
  637bc473ecf9e16f83e8093916ae24f2c6242885
- SHA256
  
  075cf082102b2ffe2fa7af3c419b08364779c56cf89e77be422d5f0ea3470bf8
- SHA512
  
  323b03c7eec9dc175b3274bba87b03204f7730940261c80d91d5f83189e5a248efb380b5536e4b61bcb6661ba96b674ce5322482a80d2ec27349d962c67b01d4
Score

10^/10

njrat hello evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathelloevasiontrojan

behavioral2

njratevasiontrojan