njrat | 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443 | Triage

Sharing

General

Target

2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
Size

37KB
Sample

220630-wjjqzaehfr
MD5

743023f77b99de007c69bf2a5f6691d7
SHA1

d5f800818615f581f207a65c04ad76510724da72
SHA256

2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512

c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5

Score

10^/10

njrat svhost.exe evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

svhost.exe

C2

91.219.28.11:5552

Mutex

4c358cdc78434d13514be8b97373756a

Attributes

reg_key
4c358cdc78434d13514be8b97373756a
splitter
|'|'|

Targets

- Target
  
  2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
- Size
  
  37KB
- MD5
  
  743023f77b99de007c69bf2a5f6691d7
- SHA1
  
  d5f800818615f581f207a65c04ad76510724da72
- SHA256
  
  2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
- SHA512
  
  c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
Score

10^/10

njrat svhost.exe evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

svhost.exenjrat

behavioral1

njratsvhost.exeevasionpersistencetrojan

behavioral2

njratsvhost.exeevasionpersistencetrojan