njrat | 12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0 | Triage

Sharing

General

Target

12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
Size

23KB
Sample

220701-emg8wabccp
MD5

c3937e4173da9306dc07e161ae067436
SHA1

cbfe2e5dcf01bdeca85d4b15bc258c97411f1c66
SHA256

12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
SHA512

5fb4e8cbd7f6e3383368833531f60ebb05d59c5f746cc52012c50820332db28019a55f622db48087428a79fc8fe706c7297af14f6c239af0c25bd665dc1dc0ba

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

fsky2.hopto.org:5552

Mutex

2cc58bd89a2903b40440fbd58d12d95c

Attributes

reg_key
2cc58bd89a2903b40440fbd58d12d95c
splitter
|'|'|

Targets

- Target
  
  12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
- Size
  
  23KB
- MD5
  
  c3937e4173da9306dc07e161ae067436
- SHA1
  
  cbfe2e5dcf01bdeca85d4b15bc258c97411f1c66
- SHA256
  
  12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
- SHA512
  
  5fb4e8cbd7f6e3383368833531f60ebb05d59c5f746cc52012c50820332db28019a55f622db48087428a79fc8fe706c7297af14f6c239af0c25bd665dc1dc0ba
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan