njrat | 826c48a6a45e08fac9f070963358a4b84fbedf487e132f3801ac15cbdb483a3d | Triage

Sharing

General

Target

826c48a6a45e08fac9f070963358a4b84fbedf487e132f3801ac15cbdb483a3d
Size

245KB
Sample

220520-1zh7lahfdk
MD5

caed3664b5078e9bfc73cedcc3b7426d
SHA1

8782f513ae2dac27002e701b9ff2f620d2811b3d
SHA256

826c48a6a45e08fac9f070963358a4b84fbedf487e132f3801ac15cbdb483a3d
SHA512

20162e95d2fffc10527f2e60fe0c6fe97f2a3ef14df3fd70e0e48e7c25ab0050a9bd1fa12d3e3314f76f79a5f3c59b805f535dc788cd86b3288abdaa982e308f

Score

10^/10

njrat hacked evasion persistence

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

artur9625423.ddns.net:1604

Mutex

a0f05785a71d084224ff0d1739e40e6c

Attributes

reg_key
a0f05785a71d084224ff0d1739e40e6c
splitter
|'|'|

Targets

- Target
  
  826c48a6a45e08fac9f070963358a4b84fbedf487e132f3801ac15cbdb483a3d
- Size
  
  245KB
- MD5
  
  caed3664b5078e9bfc73cedcc3b7426d
- SHA1
  
  8782f513ae2dac27002e701b9ff2f620d2811b3d
- SHA256
  
  826c48a6a45e08fac9f070963358a4b84fbedf487e132f3801ac15cbdb483a3d
- SHA512
  
  20162e95d2fffc10527f2e60fe0c6fe97f2a3ef14df3fd70e0e48e7c25ab0050a9bd1fa12d3e3314f76f79a5f3c59b805f535dc788cd86b3288abdaa982e308f
Score

8^/10

evasion persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence