njrat | ad53faff462d7da469c5c70b622482d9c59d2b5d14299f10e49b625a8dcaeba7 | Triage

Sharing

General

Target

ad53faff462d7da469c5c70b622482d9c59d2b5d14299f10e49b625a8dcaeba7
Size

23KB
Sample

220520-p6vy7acfb3
MD5

8cece45770d4bef48d2d9d40d952b8b1
SHA1

05e4490195ea8d342809cf96b439ce54d927b3bb
SHA256

ad53faff462d7da469c5c70b622482d9c59d2b5d14299f10e49b625a8dcaeba7
SHA512

f73f091f0c3306fa12f0c5bf3f988741d38b8d9e7123d9fb8d75306321b740e2078b9666bc0158193f8cfed231d229c35c54aa913f030f63b4aef8cf2fd1a4ce

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

rattedlmao.ddns.net:5555

Mutex

9dc16129f7613d89723d715b6ad058d3

Attributes

reg_key
9dc16129f7613d89723d715b6ad058d3
splitter
|'|'|

Targets

- Target
  
  ad53faff462d7da469c5c70b622482d9c59d2b5d14299f10e49b625a8dcaeba7
- Size
  
  23KB
- MD5
  
  8cece45770d4bef48d2d9d40d952b8b1
- SHA1
  
  05e4490195ea8d342809cf96b439ce54d927b3bb
- SHA256
  
  ad53faff462d7da469c5c70b622482d9c59d2b5d14299f10e49b625a8dcaeba7
- SHA512
  
  f73f091f0c3306fa12f0c5bf3f988741d38b8d9e7123d9fb8d75306321b740e2078b9666bc0158193f8cfed231d229c35c54aa913f030f63b4aef8cf2fd1a4ce
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedtrojan