njrat | 7eb83124847b72be762fe19ab6df81a664f4b6be2dc73bcc0ea446ab42457d58 | Triage

Sharing

General

Target

7eb83124847b72be762fe19ab6df81a664f4b6be2dc73bcc0ea446ab42457d58
Size

93KB
Sample

220701-hfsmtagcfk
MD5

6c6da35cdba7d22e8ac78b3752ce54f2
SHA1

50b92602a1ecc2ee5998d409e8310741f3a8bcac
SHA256

7eb83124847b72be762fe19ab6df81a664f4b6be2dc73bcc0ea446ab42457d58
SHA512

8ae128012fe457b14738c2018d1fa6ebde8189f604eff668977a07d0a9c255d3c4ac34b096b30a7e0aa83382b0b6dcdb05bff93e216f3566bf8a6874b5c81f6a

Score

10^/10

njrat hey evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hey

C2

FRANSESCOTI3LjAuFRANSESCOC4x:Nzc3Nw==

Mutex

12ac2e76abe6e325d355ee60632a103f

Attributes

reg_key
12ac2e76abe6e325d355ee60632a103f
splitter
|'|'|

Targets

- Target
  
  7eb83124847b72be762fe19ab6df81a664f4b6be2dc73bcc0ea446ab42457d58
- Size
  
  93KB
- MD5
  
  6c6da35cdba7d22e8ac78b3752ce54f2
- SHA1
  
  50b92602a1ecc2ee5998d409e8310741f3a8bcac
- SHA256
  
  7eb83124847b72be762fe19ab6df81a664f4b6be2dc73bcc0ea446ab42457d58
- SHA512
  
  8ae128012fe457b14738c2018d1fa6ebde8189f604eff668977a07d0a9c255d3c4ac34b096b30a7e0aa83382b0b6dcdb05bff93e216f3566bf8a6874b5c81f6a
Score

10^/10

njrat hey evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratheyevasiontrojan

behavioral2

njratheyevasiontrojan