njrat | 0829f2ad0073017c40930f11fdcb892b6dae92a8d207687128c4bb8a4eb0ab43 | Triage

Sharing

General

Target

0829f2ad0073017c40930f11fdcb892b6dae92a8d207687128c4bb8a4eb0ab43
Size

43KB
Sample

220630-w2dbxahfc6
MD5

a5ba0a7d8bfd2ca07abc0a90914177c5
SHA1

56a7e7e22f3c4c42a6874a8c04193868e46444c3
SHA256

0829f2ad0073017c40930f11fdcb892b6dae92a8d207687128c4bb8a4eb0ab43
SHA512

952720e613630838d58493205bc5e251cb9221c74ad9e9038f08ce9ce18a89f3dd853cc829254062686c706783aeaac181d738dfe706c587163d8afa903797fe

Score

10^/10

njrat hackid persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKid

C2

thegoldfair01ifu8ck.hopto.org:7777

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  0829f2ad0073017c40930f11fdcb892b6dae92a8d207687128c4bb8a4eb0ab43
- Size
  
  43KB
- MD5
  
  a5ba0a7d8bfd2ca07abc0a90914177c5
- SHA1
  
  56a7e7e22f3c4c42a6874a8c04193868e46444c3
- SHA256
  
  0829f2ad0073017c40930f11fdcb892b6dae92a8d207687128c4bb8a4eb0ab43
- SHA512
  
  952720e613630838d58493205bc5e251cb9221c74ad9e9038f08ce9ce18a89f3dd853cc829254062686c706783aeaac181d738dfe706c587163d8afa903797fe
Score

10^/10

njrat hackid persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackidpersistencetrojan

behavioral2

njrathackidpersistencetrojan