njrat | 94cabbd0384d2e2adc52a3b5bd915094c5b259a02224f72b405446f89e21c0f8 | Triage

Sharing

General

Target

svhost.bin
Size

27KB
Sample

220628-b5j9eagbh7
MD5

cfe17591bdd8229d4936091110b1191f
SHA1

9390141522e14a88464cf87e781f18914fa1bdf2
SHA256

94cabbd0384d2e2adc52a3b5bd915094c5b259a02224f72b405446f89e21c0f8
SHA512

e8cac5a9ea132a9e0dfc9d606fa87ce4e2abf1ce4aa7b1369c7fd394b7f551e858a3df39c04a8cdf5e9d9e16b1472dd314e76c80b3b72b85fa2d0f619129027c

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

193.219.117.144:7777

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  svhost.bin
- Size
  
  27KB
- MD5
  
  cfe17591bdd8229d4936091110b1191f
- SHA1
  
  9390141522e14a88464cf87e781f18914fa1bdf2
- SHA256
  
  94cabbd0384d2e2adc52a3b5bd915094c5b259a02224f72b405446f89e21c0f8
- SHA512
  
  e8cac5a9ea132a9e0dfc9d606fa87ce4e2abf1ce4aa7b1369c7fd394b7f551e858a3df39c04a8cdf5e9d9e16b1472dd314e76c80b3b72b85fa2d0f619129027c
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencetrojan