njrat | 08a16325eb4523ff4193355516d182c1e8fcb3016409c92193f51053dd4fe180 | Triage

Sharing

General

Target

08a16325eb4523ff4193355516d182c1e8fcb3016409c92193f51053dd4fe180
Size

123KB
Sample

220503-sgjfmscddn
MD5

946333d7d6a396ab789cb72f74c7f9aa
SHA1

07391a865a6c0d781fae9754872d05437bd2ced5
SHA256

08a16325eb4523ff4193355516d182c1e8fcb3016409c92193f51053dd4fe180
SHA512

382cca85edecb737762c14eee850fc887745be8d1e33cf4f9521db42dcaed95d23c342532e015c6a7e792f2fde72161e064405147b3060850aa6d9139ed858df

Score

10^/10

njrat hacked by hidden person evasion persistence trojan

Malware Config

Extracted

Family

njrat

Botnet

Hacked By HiDDen PerSOn

Mutex

e6be5f00f026aa28102ba2f0df8f3ec3

Attributes

reg_key
e6be5f00f026aa28102ba2f0df8f3ec3

Targets

- Target
  
  08a16325eb4523ff4193355516d182c1e8fcb3016409c92193f51053dd4fe180
- Size
  
  123KB
- MD5
  
  946333d7d6a396ab789cb72f74c7f9aa
- SHA1
  
  07391a865a6c0d781fae9754872d05437bd2ced5
- SHA256
  
  08a16325eb4523ff4193355516d182c1e8fcb3016409c92193f51053dd4fe180
- SHA512
  
  382cca85edecb737762c14eee850fc887745be8d1e33cf4f9521db42dcaed95d23c342532e015c6a7e792f2fde72161e064405147b3060850aa6d9139ed858df
Score

10^/10

njrat hacked by hidden person evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathacked by hidden personevasionpersistencetrojan

behavioral2

njrathacked by hidden personevasionpersistencetrojan