njrat | 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd | Triage

Sharing

General

Target

3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
Size

69KB
Sample

220520-xfxzvsfdbp
MD5

04ee19dcd3079ca37c8f829d2b30513f
SHA1

185f80cc3e7aa3ca8148bc83f240d3789d7e0706
SHA256

3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
SHA512

1d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

testsevaer.kro.kr:6335

Mutex

257e54d5487aae3e024df308f1deeed9

Attributes

reg_key
257e54d5487aae3e024df308f1deeed9
splitter
|'|'|

Targets

- Target
  
  3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
- Size
  
  69KB
- MD5
  
  04ee19dcd3079ca37c8f829d2b30513f
- SHA1
  
  185f80cc3e7aa3ca8148bc83f240d3789d7e0706
- SHA256
  
  3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
- SHA512
  
  1d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan