njrat | d169973b1243af06c1ac39008833f37dde4a324b5718adf56b373d69f2477b69 | Triage

Sharing

General

Target

d169973b1243af06c1ac39008833f37dde4a324b5718adf56b373d69f2477b69
Size

37KB
Sample

220520-3vepqacder
MD5

3f171a70aa41a7ed35f478a8a4e7cdaf
SHA1

113e61943a4b0b140fac027259157065b5d1d69e
SHA256

d169973b1243af06c1ac39008833f37dde4a324b5718adf56b373d69f2477b69
SHA512

ca10671ecedd2aa55aa4f299f00ee0a16c9073bff6ffd6ea17b77d62c7802f12d4fcca6750256d10257932e3d86f01415cf16765ed1fb215a6b37ca4836ce99d

Score

10^/10

njrat hacked evasion persistence

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

82.202.167.194:1018

Mutex

44acb4d786c53ef4af770124b024d21e

Attributes

reg_key
44acb4d786c53ef4af770124b024d21e
splitter
|'|'|

Targets

- Target
  
  d169973b1243af06c1ac39008833f37dde4a324b5718adf56b373d69f2477b69
- Size
  
  37KB
- MD5
  
  3f171a70aa41a7ed35f478a8a4e7cdaf
- SHA1
  
  113e61943a4b0b140fac027259157065b5d1d69e
- SHA256
  
  d169973b1243af06c1ac39008833f37dde4a324b5718adf56b373d69f2477b69
- SHA512
  
  ca10671ecedd2aa55aa4f299f00ee0a16c9073bff6ffd6ea17b77d62c7802f12d4fcca6750256d10257932e3d86f01415cf16765ed1fb215a6b37ca4836ce99d
Score

8^/10

evasion persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence