njrat | 2d6be84a8bfc3478a59c9e3416857a7170508fcdf586f9f639c216d4e569bb56 | Triage

Sharing

General

Target

2d6be84a8bfc3478a59c9e3416857a7170508fcdf586f9f639c216d4e569bb56
Size

43KB
Sample

220520-2qlf2afgf2
MD5

5a37e9f01baa6070732ae4989d49d986
SHA1

4d0db27bb1281d33a14ab5a87de3268c23107e7e
SHA256

2d6be84a8bfc3478a59c9e3416857a7170508fcdf586f9f639c216d4e569bb56
SHA512

82f13f4a521b0fb1d7cbe3b1f5ad830e994dc4f867f773309f2ca34c0b5f74484c1120b023c70fdf40d2ace96847eb61c9004dbfe5b9c9efaf3b420fb38875fc

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  2d6be84a8bfc3478a59c9e3416857a7170508fcdf586f9f639c216d4e569bb56
- Size
  
  43KB
- MD5
  
  5a37e9f01baa6070732ae4989d49d986
- SHA1
  
  4d0db27bb1281d33a14ab5a87de3268c23107e7e
- SHA256
  
  2d6be84a8bfc3478a59c9e3416857a7170508fcdf586f9f639c216d4e569bb56
- SHA512
  
  82f13f4a521b0fb1d7cbe3b1f5ad830e994dc4f867f773309f2ca34c0b5f74484c1120b023c70fdf40d2ace96847eb61c9004dbfe5b9c9efaf3b420fb38875fc
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan