njrat | 481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739 | Triage

Sharing

General

Target

481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739
Size

29KB
Sample

220714-eyx4gadccj
MD5

761931aa493ef696ab7a6114f5838279
SHA1

8930277e98496bc512f7f87f6b67cb90b693fc8b
SHA256

481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739
SHA512

d14742ec7bfb936396e4538821fd0df9a405939392f263e58ef669ee72f9288ae244e0ee37a00a814ba590385b320c085243fcaa5344f8c2608393d87937577f

Score

10^/10

njrat love evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

love

C2

hostmorning.no-ip.biz:1177

Mutex

a0ae746fbab3868c8ea432a9f04c7d16

Attributes

reg_key
a0ae746fbab3868c8ea432a9f04c7d16
splitter
|'|'|

Targets

- Target
  
  481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739
- Size
  
  29KB
- MD5
  
  761931aa493ef696ab7a6114f5838279
- SHA1
  
  8930277e98496bc512f7f87f6b67cb90b693fc8b
- SHA256
  
  481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739
- SHA512
  
  d14742ec7bfb936396e4538821fd0df9a405939392f263e58ef669ee72f9288ae244e0ee37a00a814ba590385b320c085243fcaa5344f8c2608393d87937577f
Score

10^/10

njrat love evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratloveevasionpersistencetrojan

behavioral2

njratlovetrojan