njrat | bd70f3abf0cb69a990396673cddb6e128c394ff84cc7992fd0689bd7d889ad9f | Triage

Sharing

General

Target

bd70f3abf0cb69a990396673cddb6e128c394ff84cc7992fd0689bd7d889ad9f
Size

472KB
Sample

220520-2dqj8afbd8
MD5

bdbfbb101b25104192bc5031631d7ac1
SHA1

91036fcca3acdb459d4ca073d4c67181700d9dc4
SHA256

bd70f3abf0cb69a990396673cddb6e128c394ff84cc7992fd0689bd7d889ad9f
SHA512

c9428f09bfa2f1d2fb98201db9894104533f3c18df83fa147d685254f45dcee5d7ad252a1abc31e85b7dcefe444fc9802a3bb6d28aa419cd23d92de9b8fa0b41

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

192.168.56.1:5522

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  bd70f3abf0cb69a990396673cddb6e128c394ff84cc7992fd0689bd7d889ad9f
- Size
  
  472KB
- MD5
  
  bdbfbb101b25104192bc5031631d7ac1
- SHA1
  
  91036fcca3acdb459d4ca073d4c67181700d9dc4
- SHA256
  
  bd70f3abf0cb69a990396673cddb6e128c394ff84cc7992fd0689bd7d889ad9f
- SHA512
  
  c9428f09bfa2f1d2fb98201db9894104533f3c18df83fa147d685254f45dcee5d7ad252a1abc31e85b7dcefe444fc9802a3bb6d28aa419cd23d92de9b8fa0b41
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan