njrat | c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3 | Triage

Sharing

General

Target

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3
Size

579KB
Sample

220701-dpy4qsbdh2
MD5

4c4bde75b118d7db7df062e12a71a601
SHA1

57446c07b6893592a2dcea4ffa4e80bb52fdfb53
SHA256

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3
SHA512

f94d8f0dec04713a183d70860f6f90637fd0b14a14b78893df1ab99dcf70f582b1533a8569015800bebf855b09959693a332052dbe115706921f95aa12bf7bba

Score

10^/10

njrat xmasmoney evasion persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

XmasMoney

C2

185.244.30.248:4040

Mutex

65846043dcc7fda8dafdf43614eb84ef

Attributes

reg_key
65846043dcc7fda8dafdf43614eb84ef
splitter
|'|'|

Targets

- Target
  
  c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3
- Size
  
  579KB
- MD5
  
  4c4bde75b118d7db7df062e12a71a601
- SHA1
  
  57446c07b6893592a2dcea4ffa4e80bb52fdfb53
- SHA256
  
  c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3
- SHA512
  
  f94d8f0dec04713a183d70860f6f90637fd0b14a14b78893df1ab99dcf70f582b1533a8569015800bebf855b09959693a332052dbe115706921f95aa12bf7bba
Score

10^/10

njrat xmasmoney evasion persistence trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njratxmasmoneyevasionpersistencetrojanupx