njrat | 38df39b8f59e65ddfc8558b554ed8449815e2a1da263911f5fa5adc610101ae5 | Triage

Sharing

General

Target

38df39b8f59e65ddfc8558b554ed8449815e2a1da263911f5fa5adc610101ae5
Size

212KB
Sample

220625-xa4kfshge9
MD5

b6fb59b629ff7361ca59bc57d44b3ffe
SHA1

24ffe3043b12a6db42cae02a6f46e213e3012fce
SHA256

38df39b8f59e65ddfc8558b554ed8449815e2a1da263911f5fa5adc610101ae5
SHA512

a6b9c88f3caa11e255a7f13fb4eb59d3668e6814e86aa5b8f97a86728a856d8e748561ea717add208ab7cd1af438ae88c7959b856c54da0f67cb725e26319dec

Score

10^/10

njrat money$bea$t evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Money$Bea$t

C2

mailsdc61.ga:5490

Mutex

efc8d3c97ca9383f77f8c3938dbe8fdd

Attributes

reg_key
efc8d3c97ca9383f77f8c3938dbe8fdd
splitter
|'|'|

Targets

- Target
  
  38df39b8f59e65ddfc8558b554ed8449815e2a1da263911f5fa5adc610101ae5
- Size
  
  212KB
- MD5
  
  b6fb59b629ff7361ca59bc57d44b3ffe
- SHA1
  
  24ffe3043b12a6db42cae02a6f46e213e3012fce
- SHA256
  
  38df39b8f59e65ddfc8558b554ed8449815e2a1da263911f5fa5adc610101ae5
- SHA512
  
  a6b9c88f3caa11e255a7f13fb4eb59d3668e6814e86aa5b8f97a86728a856d8e748561ea717add208ab7cd1af438ae88c7959b856c54da0f67cb725e26319dec
Score

10^/10

njrat money$bea$t evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratmoney$bea$tevasionpersistencetrojan

behavioral2

njratmoney$bea$tevasionpersistencetrojan