njrat | 121df38e767b1b2b97511a9edebe0023462cba685ea27b8f8776bd2304fcfb9e | Triage

Sharing

General

Target

121df38e767b1b2b97511a9edebe0023462cba685ea27b8f8776bd2304fcfb9e
Size

29KB
Sample

220520-2vfrcagaf4
MD5

b4f97e12a60f4f5c9a7a70faa5a7b092
SHA1

a83f6c40df8f95bd7f6f09b092dc6577b8008fff
SHA256

121df38e767b1b2b97511a9edebe0023462cba685ea27b8f8776bd2304fcfb9e
SHA512

39559be30f2155a0040ea9e39edde34f6fb95d8c65efecb59887c78b5905301d4f652957b15c657f293574e4cde8d6e203bf18ef90b3d7666b61284a431ccb5c

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

joao2412.ddns.net:1177

Mutex

81ed0e74a40ed4fe8a36a7b819c4279f

Attributes

reg_key
81ed0e74a40ed4fe8a36a7b819c4279f
splitter
|'|'|

Targets

- Target
  
  121df38e767b1b2b97511a9edebe0023462cba685ea27b8f8776bd2304fcfb9e
- Size
  
  29KB
- MD5
  
  b4f97e12a60f4f5c9a7a70faa5a7b092
- SHA1
  
  a83f6c40df8f95bd7f6f09b092dc6577b8008fff
- SHA256
  
  121df38e767b1b2b97511a9edebe0023462cba685ea27b8f8776bd2304fcfb9e
- SHA512
  
  39559be30f2155a0040ea9e39edde34f6fb95d8c65efecb59887c78b5905301d4f652957b15c657f293574e4cde8d6e203bf18ef90b3d7666b61284a431ccb5c
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan