njrat | ba4ea0f61e140f06caa9d668023037dadbd557f6dca732c6e495accc569ee2d6 | Triage

Sharing

General

Target

ba4ea0f61e140f06caa9d668023037dadbd557f6dca732c6e495accc569ee2d6
Size

43KB
Sample

220520-z4f3csgfbk
MD5

9e7274b8e1d27f8d746fe430830a6e1c
SHA1

1489bc7245c6cca6d14f508a53bcc4139316446a
SHA256

ba4ea0f61e140f06caa9d668023037dadbd557f6dca732c6e495accc569ee2d6
SHA512

c1208bebd3d6f101a881bfca5b1da0caafe1a3969789e1fa66c278cba1ba0efb0a46e02f113ed6f7f67947224ee4ceee9f91ad5d921fa0462776b003d426cd4b

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

rostislav404.ddns.net:9291

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  ba4ea0f61e140f06caa9d668023037dadbd557f6dca732c6e495accc569ee2d6
- Size
  
  43KB
- MD5
  
  9e7274b8e1d27f8d746fe430830a6e1c
- SHA1
  
  1489bc7245c6cca6d14f508a53bcc4139316446a
- SHA256
  
  ba4ea0f61e140f06caa9d668023037dadbd557f6dca732c6e495accc569ee2d6
- SHA512
  
  c1208bebd3d6f101a881bfca5b1da0caafe1a3969789e1fa66c278cba1ba0efb0a46e02f113ed6f7f67947224ee4ceee9f91ad5d921fa0462776b003d426cd4b
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan