njrat | 536823aedad97e09b78e086c114cb6d73ceee22b3ed6d7701133bdc05feeeba4 | Triage

Sharing

General

Target

536823aedad97e09b78e086c114cb6d73ceee22b3ed6d7701133bdc05feeeba4
Size

2.0MB
Sample

220716-31ea5sffd5
MD5

190a1776f091fffefc7c60d052664cf3
SHA1

a4b7c5059caa1882fc5d9ddb6c7eb7b44608bdd6
SHA256

536823aedad97e09b78e086c114cb6d73ceee22b3ed6d7701133bdc05feeeba4
SHA512

70283b7e1cb158b9c37f0e54a9fe532f48b42405d4a5ec7ad49d1c71894244765fe3153a23d696ec731f87d72a4d4bac426d1d3f2a1bfbf87cbabbd9452de431

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

shadowpro87.ddns.net:1177

Mutex

9165950e91e4e361fa21d31cf1cfc39b

Attributes

reg_key
9165950e91e4e361fa21d31cf1cfc39b
splitter
|'|'|

Targets

- Target
  
  536823aedad97e09b78e086c114cb6d73ceee22b3ed6d7701133bdc05feeeba4
- Size
  
  2.0MB
- MD5
  
  190a1776f091fffefc7c60d052664cf3
- SHA1
  
  a4b7c5059caa1882fc5d9ddb6c7eb7b44608bdd6
- SHA256
  
  536823aedad97e09b78e086c114cb6d73ceee22b3ed6d7701133bdc05feeeba4
- SHA512
  
  70283b7e1cb158b9c37f0e54a9fe532f48b42405d4a5ec7ad49d1c71894244765fe3153a23d696ec731f87d72a4d4bac426d1d3f2a1bfbf87cbabbd9452de431
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

evasionpersistence