njrat | 59cda195f8f6d24dd2acb15673b06d4d738a3a179d59d4aec35bead962f953ea | Triage

Sharing

General

Target

59cda195f8f6d24dd2acb15673b06d4d738a3a179d59d4aec35bead962f953ea
Size

43KB
Sample

220520-e5bttaaae5
MD5

4803b4a5928f6b198aefb86a9707b244
SHA1

0385ad6a5deab384f819dbcbf34f4a30d998ebec
SHA256

59cda195f8f6d24dd2acb15673b06d4d738a3a179d59d4aec35bead962f953ea
SHA512

cb64510b3aba8e818d8b34626ecaf0e6476d86fc088d05afe3fefc8829294c87e1be0ba48d76038416477f4eb4c6d322714452c5e68d26b7cba338189aa2a7b7

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

146.120.244.6:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  59cda195f8f6d24dd2acb15673b06d4d738a3a179d59d4aec35bead962f953ea
- Size
  
  43KB
- MD5
  
  4803b4a5928f6b198aefb86a9707b244
- SHA1
  
  0385ad6a5deab384f819dbcbf34f4a30d998ebec
- SHA256
  
  59cda195f8f6d24dd2acb15673b06d4d738a3a179d59d4aec35bead962f953ea
- SHA512
  
  cb64510b3aba8e818d8b34626ecaf0e6476d86fc088d05afe3fefc8829294c87e1be0ba48d76038416477f4eb4c6d322714452c5e68d26b7cba338189aa2a7b7
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan