njrat | e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1 | Triage

Sharing

General

Target

e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
Size

23KB
Sample

220520-3jc2rabhem
MD5

75af76d2a53d30d3d005ed79719b0839
SHA1

e811f724203ec37b0ac9906349db186a190540ba
SHA256

e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
SHA512

d512cbbe97f7a1bb6bd7744192e7b845d89544ef008cd241d22b4f69ebc9be8796388efe49a96d7d203fc994f8af8ece63f2664560a357f943db74e611c177a7

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

tplinklocal.linkpc.net:1177

Mutex

ac439180f0d27caad533e0a9c298c9a2

Attributes

reg_key
ac439180f0d27caad533e0a9c298c9a2
splitter
|'|'|

Targets

- Target
  
  e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
- Size
  
  23KB
- MD5
  
  75af76d2a53d30d3d005ed79719b0839
- SHA1
  
  e811f724203ec37b0ac9906349db186a190540ba
- SHA256
  
  e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
- SHA512
  
  d512cbbe97f7a1bb6bd7744192e7b845d89544ef008cd241d22b4f69ebc9be8796388efe49a96d7d203fc994f8af8ece63f2664560a357f943db74e611c177a7
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan