njrat | db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e | Triage

Sharing

General

Target

db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
Size

43KB
Sample

220520-evgbjshdh5
MD5

71152f3b9a20b6bdf15451f7fefceeb5
SHA1

f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256

db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA512

1efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7

Score

10^/10

njrat ???persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

???

C2

127.0.0.1:6626

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
- Size
  
  43KB
- MD5
  
  71152f3b9a20b6bdf15451f7fefceeb5
- SHA1
  
  f1bfb4bbf23866b97cee0fb39895f365377003e9
- SHA256
  
  db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
- SHA512
  
  1efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
Score

10^/10

njrat ???persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrat???persistencetrojan

behavioral2

njrat???persistencetrojan