njrat | 6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f | Triage

Sharing

General

Target

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f
Size

43KB
Sample

220520-11cq7seec3
MD5

bc64b8cf2bd62cdb36f1773aeeb35c83
SHA1

4882d4f8d0232db5f09281e1aaed8455c1e9cfee
SHA256

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f
SHA512

e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

0.tcp.ngrok.io:12829

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f
- Size
  
  43KB
- MD5
  
  bc64b8cf2bd62cdb36f1773aeeb35c83
- SHA1
  
  4882d4f8d0232db5f09281e1aaed8455c1e9cfee
- SHA256
  
  6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f
- SHA512
  
  e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan