njrat | fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8 | Triage

Sharing

General

Target

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8
Size

181KB
Sample

220625-le929aegcj
MD5

0c9f666b100f08c29b172503c855f985
SHA1

20fff63d2e1afa452162f5224d7d7114e97afbf1
SHA256

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8
SHA512

59f3065b4c5879c15bef58e0814249464a1e3777a800c7443073e6b96003d14c61e36956e411afaf674b245223d02cd723afcaf75c8d7fea3ee9b252859e6264

Score

10^/10

njrat cass evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cass

C2

107.167.244.67:31922

Mutex

cf6e3f95a16ddd65e5d5ff36b6f40c8d

Attributes

reg_key
cf6e3f95a16ddd65e5d5ff36b6f40c8d
splitter
|'|'|

Targets

- Target
  
  fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8
- Size
  
  181KB
- MD5
  
  0c9f666b100f08c29b172503c855f985
- SHA1
  
  20fff63d2e1afa452162f5224d7d7114e97afbf1
- SHA256
  
  fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8
- SHA512
  
  59f3065b4c5879c15bef58e0814249464a1e3777a800c7443073e6b96003d14c61e36956e411afaf674b245223d02cd723afcaf75c8d7fea3ee9b252859e6264
Score

10^/10

njrat cass evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratcassevasiontrojan

behavioral2

njratcassevasiontrojan