njrat | 1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907 | Triage

Sharing

General

Target

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907
Size

601KB
Sample

220625-lvambsfdgj
MD5

d9c8bd38f224c7a9708ea0699ea0411b
SHA1

81d7ef1b4ab40e8aecedfc0964498d023c398b56
SHA256

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907
SHA512

8fa732f8d262911ca152b3555a2d134fe3919d105710f1c0877c60f2524113676c27910497171ca713082041480d0173064be6666ec23b93faee2ea2933f9b8a

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

134.249.177.58:1604

Mutex

262f5018bfdda234f289191972a2bad6

Attributes

reg_key
262f5018bfdda234f289191972a2bad6
splitter
|'|'|

Targets

- Target
  
  1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907
- Size
  
  601KB
- MD5
  
  d9c8bd38f224c7a9708ea0699ea0411b
- SHA1
  
  81d7ef1b4ab40e8aecedfc0964498d023c398b56
- SHA256
  
  1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907
- SHA512
  
  8fa732f8d262911ca152b3555a2d134fe3919d105710f1c0877c60f2524113676c27910497171ca713082041480d0173064be6666ec23b93faee2ea2933f9b8a
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan