njrat | 22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8 | Triage

Sharing

General

Target

22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8
Size

3.2MB
Sample

220508-dxxwmsecc2
MD5

39a92446a2cda218e514994bbfa5163e
SHA1

b85ff67f9f4e798cfcc8409d867d2b9c581c36a5
SHA256

22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8
SHA512

71176a92c06a749cfc5455d2e2ed9395feddd88a4ed66a8d08343b69636b71731af5579a3600eb0c7a45e319c529a9d837449e5a83ed7fc938caecba054e539e

Score

10^/10

njrat zombie evasion persistence trojan

Malware Config

Extracted

Family

njrat

Botnet

Zombie

Mutex

09c32d2d0a299e9d040cc8b2a01b8e4f

Attributes

reg_key
09c32d2d0a299e9d040cc8b2a01b8e4f

Targets

- Target
  
  22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8
- Size
  
  3.2MB
- MD5
  
  39a92446a2cda218e514994bbfa5163e
- SHA1
  
  b85ff67f9f4e798cfcc8409d867d2b9c581c36a5
- SHA256
  
  22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8
- SHA512
  
  71176a92c06a749cfc5455d2e2ed9395feddd88a4ed66a8d08343b69636b71731af5579a3600eb0c7a45e319c529a9d837449e5a83ed7fc938caecba054e539e
Score

10^/10

njrat zombie evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratzombieevasionpersistencetrojan

behavioral2

njratzombiepersistencetrojan