njrat | 5b214ea4cc035e5375f3a6335c847dea72c5db6f8423828d0d27f7ab6ef4e0ca | Triage

Sharing

General

Target

5b214ea4cc035e5375f3a6335c847dea72c5db6f8423828d0d27f7ab6ef4e0ca
Size

31KB
Sample

220520-e5axhsaae3
MD5

b5d21530538e7822bd6ccbf4458eb903
SHA1

d44b98c09eecc1358dec7378de630d9da63e5a25
SHA256

5b214ea4cc035e5375f3a6335c847dea72c5db6f8423828d0d27f7ab6ef4e0ca
SHA512

91c37315bd4372fcd24396aff2efcd018ed83e4c44a8eb4db23f1815cd2114cb9ba2e7dab5509e68edc7e596b5da9abc9173a845531838a275cecbe108388d36

Score

10^/10

njrat q evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

q

C2

90.191.122.120:6522

Mutex

255d238b748d6b3fe0502dded68c366c

Attributes

reg_key
255d238b748d6b3fe0502dded68c366c
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  5b214ea4cc035e5375f3a6335c847dea72c5db6f8423828d0d27f7ab6ef4e0ca
- Size
  
  31KB
- MD5
  
  b5d21530538e7822bd6ccbf4458eb903
- SHA1
  
  d44b98c09eecc1358dec7378de630d9da63e5a25
- SHA256
  
  5b214ea4cc035e5375f3a6335c847dea72c5db6f8423828d0d27f7ab6ef4e0ca
- SHA512
  
  91c37315bd4372fcd24396aff2efcd018ed83e4c44a8eb4db23f1815cd2114cb9ba2e7dab5509e68edc7e596b5da9abc9173a845531838a275cecbe108388d36
Score

10^/10

njrat q evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratqevasionpersistencetrojan

behavioral2

njratqevasionpersistencetrojan