njrat | daca1b92fb75a349e2973f63eaefab71d19ba35a3d655f607402a538d31dace6 | Triage

Sharing

General

Target

daca1b92fb75a349e2973f63eaefab71d19ba35a3d655f607402a538d31dace6
Size

37KB
Sample

220520-z59q3agfgj
MD5

db08b20b26289b912b5fb399f54b3b7e
SHA1

e73a0226846bbfdcb64a2507f2773317b1f26511
SHA256

daca1b92fb75a349e2973f63eaefab71d19ba35a3d655f607402a538d31dace6
SHA512

25c4e59559e2c1e48309174643bef2535fa040e683272a8be7c9a95accd7c36d5de6def8025e586866233b85e1bcbea570eaf4f3c778cb43c8ea0e9261a9265d

Score

10^/10

njrat hacked evasion persistence

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

vip009988.ddns.net:2222

Mutex

9d90632f968d93564077cfcbab6372c6

Attributes

reg_key
9d90632f968d93564077cfcbab6372c6
splitter
|'|'|

Targets

- Target
  
  daca1b92fb75a349e2973f63eaefab71d19ba35a3d655f607402a538d31dace6
- Size
  
  37KB
- MD5
  
  db08b20b26289b912b5fb399f54b3b7e
- SHA1
  
  e73a0226846bbfdcb64a2507f2773317b1f26511
- SHA256
  
  daca1b92fb75a349e2973f63eaefab71d19ba35a3d655f607402a538d31dace6
- SHA512
  
  25c4e59559e2c1e48309174643bef2535fa040e683272a8be7c9a95accd7c36d5de6def8025e586866233b85e1bcbea570eaf4f3c778cb43c8ea0e9261a9265d
Score

8^/10

evasion persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence