njrat | fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db | Triage

Sharing

General

Target

fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
Size

54KB
Sample

220701-hvn8yaaff4
MD5

0b0be038a905dfbdd3c957664f7567e7
SHA1

05c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
SHA256

fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
SHA512

cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963

Score

10^/10

njrat <<%m%>>evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

<<%M%>>

C2

ihebmokhles.no-ip.org:1177

Mutex

854084595525f7929d7da906e0d2d84a

Attributes

reg_key
854084595525f7929d7da906e0d2d84a
splitter
|'|'|

Targets

- Target
  
  fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
- Size
  
  54KB
- MD5
  
  0b0be038a905dfbdd3c957664f7567e7
- SHA1
  
  05c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
- SHA256
  
  fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
- SHA512
  
  cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
Score

10^/10

njrat <<%m%>>evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrat<<%m%>>evasionpersistencetrojan

behavioral2