njrat | c24ea2a4f56ca0eab1080f9979a3e8c57a0c8d4b7872e4eda5bb1e4f147ee7a1 | Triage

Sharing

General

Target

c24ea2a4f56ca0eab1080f9979a3e8c57a0c8d4b7872e4eda5bb1e4f147ee7a1
Size

23KB
Sample

220520-wypkrsegcp
MD5

017d58616ffe5e91e84cd5a10dc6cf5a
SHA1

076df91663f13ad61457060661db5937d451a60c
SHA256

c24ea2a4f56ca0eab1080f9979a3e8c57a0c8d4b7872e4eda5bb1e4f147ee7a1
SHA512

5ae5ad9459a6a43849297569024b56dd7bb8ce4cafec1e35ed9fe70e9825cb4fc2e86bae624560039286fbb76aa7b2d2c50d0bf34a2239568d0fc4a77db47979

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

bmhha.ddns.net:1604

Mutex

81070cdd786421ae0d07b0841d9f8467

Attributes

reg_key
81070cdd786421ae0d07b0841d9f8467
splitter
|'|'|

Targets

- Target
  
  c24ea2a4f56ca0eab1080f9979a3e8c57a0c8d4b7872e4eda5bb1e4f147ee7a1
- Size
  
  23KB
- MD5
  
  017d58616ffe5e91e84cd5a10dc6cf5a
- SHA1
  
  076df91663f13ad61457060661db5937d451a60c
- SHA256
  
  c24ea2a4f56ca0eab1080f9979a3e8c57a0c8d4b7872e4eda5bb1e4f147ee7a1
- SHA512
  
  5ae5ad9459a6a43849297569024b56dd7bb8ce4cafec1e35ed9fe70e9825cb4fc2e86bae624560039286fbb76aa7b2d2c50d0bf34a2239568d0fc4a77db47979
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan